Unrated severityNVD Advisory· Published Jul 3, 2025· Updated Apr 7, 2026

Pandora FMS Authenticated Remote Code Execution via Ping Module

CVE-2025-34088

Description

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.

Affected products

Artica St/Pandora Fmsv5
Range: *

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_ping_cmd_exec.rbmitreexploit
www.exploit-db.com/exploits/48334mitreexploit
vulncheck.com/advisories/pandora-fms-rce-via-pingmitrethird-party-advisory
www.rapid7.com/db/modules/exploit/linux/http/pandora_ping_cmd_exec/mitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.059
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000