Cyber Resilience

CVE-2025-34088

HighPublic PoCRCE

Published: 03 July 2025

Published
03 July 2025
Modified
16 September 2025
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7412 98.9th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34088 is a high-severity OS Command Injection (CWE-78) vulnerability in Pandorafms Pandora Fms. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An authenticated remote code execution vulnerability affects Pandora FMS version 7.0NG and earlier. The flaw resides in the net_tools.php component, where the select_ips parameter used for network diagnostic operations such as ping is passed to system commands without adequate sanitization. This permits command injection, tracked as CWE-78, and carries a CVSS 4.0 score of 8.6 reflecting network-accessible exploitation by a high-privileged authenticated user with no user interaction required.

An attacker who already possesses valid administrative credentials can supply a crafted select_ips value to execute arbitrary operating-system commands on the underlying host. Successful exploitation grants full control over confidentiality, integrity, and availability of the monitored system, enabling actions such as data exfiltration, persistence installation, or lateral movement within the environment.

Public exploit code is available, including a Metasploit module and an Exploit-DB entry that demonstrate the injection vector. The associated EPSS score currently stands at 0.7412 with an identical recorded peak, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because…

more

user input is not properly sanitized before being passed to system commands, enabling command injection.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pandorafms
pandora fms
≤ 7.0_ng

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References