CVE-2025-34088

UNKNOWN 0.0

Pandora FMS Authenticated Remote Code Execution via Ping Module

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.

CWE	CWE-78
Vendor	artica st
Product	pandora fms
Published	Jul 3, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for artica st pandora fms

Be the first to know when new unknown vulnerabilities affecting artica st pandora fms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Artica ST / Pandora FMS

* ≤ 7.0NG

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_ping_cmd_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/48334 rapid7.com: https://www.rapid7.com/db/modules/exploit/linux/http/pandora_ping_cmd_exec/ github.com: https://github.com/pandorafms/pandorafms vulncheck.com: https://vulncheck.com/advisories/pandora-fms-rce-via-ping

Credits

Onur ER