CVE-2024-12971
Published: 17 March 2025
Summary
CVE-2024-12971 is a high-severity Command Injection (CWE-77) vulnerability in Artica Pandora Fms. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-12971 is an OS command injection vulnerability stemming from improper neutralization of special elements used in commands, classified under CWE-77. It affects Pandora FMS versions 700 through 777.6 and carries a CVSS 4.0 score of 8.6 reflecting network attack vector, low attack complexity, and high privileges required.
An authenticated attacker with high privileges can send specially crafted input over the network to inject and execute arbitrary operating system commands. Successful exploitation can result in high impact to confidentiality and integrity along with limited impact to availability within the affected monitoring platform.
The single reference URL points to the vendor's page on common vulnerabilities and exposures, which is the authoritative source for any official mitigation steps or patch availability for Pandora FMS deployments.
The EPSS score stands at 0.8315, indicating substantial exploitation likelihood for this remotely exploitable flaw in a widely deployed monitoring product.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6603
Vulnerability details
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in a network-accessible application directly enables exploitation of public-facing apps (T1190) and arbitrary command execution via Unix shell (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates OS command injection by requiring information input validation mechanisms to neutralize special elements at input points.
Requires identification, reporting, and correction of the specific flaw in Pandora FMS enabling improper neutralization of command elements.
Limits the impact of successful OS command injection by enforcing least privilege on low-privileged user accounts.