Cyber Resilience

CVE-2025-5306

HighRCE

Published: 27 June 2025

Published
27 June 2025
Modified
16 September 2025
KEV Added
Patch
CVSS Score v4 7.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:M/U:Green
EPSS Score 0.7126 98.7th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5306 is a high-severity Command Injection (CWE-77) vulnerability in Artica Pandora Fms. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-5306 is an OS command injection vulnerability stemming from improper neutralization of special elements in the Netflow directory field, classified under CWE-77. It affects Pandora FMS versions 774 through 778 and carries a CVSS 4.0 score of 7.0 reflecting network attack vector, low complexity, and high privileges required.

An authenticated administrator with network access can supply crafted input to the Netflow directory field, resulting in execution of arbitrary operating system commands. Successful exploitation yields high integrity impact along with limited confidentiality and availability effects on the target installation, with no user interaction needed.

The vendor has published details for this issue on its security advisories page at https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/.

The associated EPSS score currently stands at 0.7126, matching its recorded peak and indicating sustained exploitation interest since disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

artica
pandora fms
774 — 778

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References