CVE-2025-34088
📋 TL;DR
This vulnerability allows authenticated users in Pandora FMS to execute arbitrary operating system commands through the net_tools.php functionality. Attackers can inject malicious commands via the select_ips parameter when performing network operations like ping. Organizations running Pandora FMS version 7.0NG or earlier are affected.
💻 Affected Systems
- Pandora FMS
📦 What is this software?
Pandora Fms by Pandorafms
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with web server privileges, potentially leading to lateral movement, data exfiltration, or ransomware deployment.
Likely Case
Authenticated attackers gaining shell access to the Pandora FMS server, enabling them to steal monitoring data, pivot to other systems, or disrupt monitoring operations.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and input validation are implemented, though the vulnerability still exists.
🎯 Exploit Status
Metasploit module available. Exploitation requires valid credentials but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0NG.769 or later
Vendor Advisory: https://github.com/pandorafms/pandorafms
Restart Required: Yes
Instructions:
1. Backup your Pandora FMS installation and database. 2. Download the latest version from the official repository. 3. Follow the upgrade instructions in the documentation. 4. Restart Pandora FMS services.
🔧 Temporary Workarounds
Disable net_tools.php
linuxTemporarily disable the vulnerable net_tools.php functionality
mv /var/www/html/pandora_console/enterprise/meta/net_tools.php /var/www/html/pandora_console/enterprise/meta/net_tools.php.disabled
Implement WAF Rules
allAdd web application firewall rules to block command injection patterns in select_ips parameter
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Pandora FMS from critical systems
- Enforce strong authentication controls and monitor for suspicious authenticated user activity
🔍 How to Verify
Check if Vulnerable:
Check if net_tools.php exists and test for command injection by attempting to inject commands via select_ips parameter (use safe commands like 'whoami' in a controlled test).Check Version:
grep 'version' /var/www/html/pandora_console/include/config.php | grep -o '[0-9]\+\.[0-9]\+[A-Z]*\.[0-9]\+'Verify Fix Applied:
Verify the Pandora FMS version is 7.0NG.769 or later and test that command injection via select_ips parameter no longer works.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in web server logs
- Multiple failed authentication attempts followed by net_tools.php access
- Suspicious parameters in net_tools.php requests containing shell metacharacters
Network Indicators:
- Unusual outbound connections from Pandora FMS server
- Traffic patterns indicating command and control activity
SIEM Query:
source="pandora_access.log" AND uri="/pandora_console/enterprise/meta/net_tools.php" AND (param="select_ips" AND value MATCHES "[;&|`$()]+")🔗 References
- https://github.com/pandorafms/pandorafms
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_ping_cmd_exec.rb
- https://vulncheck.com/advisories/pandora-fms-rce-via-ping
- https://www.exploit-db.com/exploits/48334
- https://www.rapid7.com/db/modules/exploit/linux/http/pandora_ping_cmd_exec/
