CVE-2025-34088
Published: 03 July 2025
Summary
CVE-2025-34088 is a high-severity OS Command Injection (CWE-78) vulnerability in Pandorafms Pandora Fms. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An authenticated remote code execution vulnerability affects Pandora FMS version 7.0NG and earlier. The flaw resides in the net_tools.php component, where the select_ips parameter used for network diagnostic operations such as ping is passed to system commands without adequate sanitization. This permits command injection, tracked as CWE-78, and carries a CVSS 4.0 score of 8.6 reflecting network-accessible exploitation by a high-privileged authenticated user with no user interaction required.
An attacker who already possesses valid administrative credentials can supply a crafted select_ips value to execute arbitrary operating-system commands on the underlying host. Successful exploitation grants full control over confidentiality, integrity, and availability of the monitored system, enabling actions such as data exfiltration, persistence installation, or lateral movement within the environment.
Public exploit code is available, including a Metasploit module and an Exploit-DB entry that demonstrate the injection vector. The associated EPSS score currently stands at 0.7412 with an identical recorded peak, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19903
Vulnerability details
An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because…
more
user input is not properly sanitized before being passed to system commands, enabling command injection.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.