CVE-2025-34088

high-risk

Published 2025-07-03

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.

Do I need to act?

53.8% chance of exploitation in next 30 days

EPSS score — higher than 46% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Pandora Fms

Affected Vendors

Pandorafms

References (5)

Product https://github.com/pandorafms/pandorafms

Exploit https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exp...

Third Party Advisory https://vulncheck.com/advisories/pandora-fms-rce-via-ping

Exploit https://www.exploit-db.com/exploits/48334

Third Party Advisory https://www.rapid7.com/db/modules/exploit/linux/http/pandora_ping_cmd_exec/

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 18/34 · Moderate

Exposure 5/34 · Minimal