Vulnerability Description
An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pandorafms | Pandora Fms | <= 7.0_ng |
Related Weaknesses (CWE)
References
- https://github.com/pandorafms/pandorafmsProduct
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/expExploit
- https://vulncheck.com/advisories/pandora-fms-rce-via-pingThird Party Advisory
- https://www.exploit-db.com/exploits/48334ExploitVDB Entry
- https://www.rapid7.com/db/modules/exploit/linux/http/pandora_ping_cmd_exec/Third Party Advisory
FAQ
What is CVE-2025-34088?
CVE-2025-34088 is a vulnerability with a CVSS score of 8.8 (HIGH). An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via th...
How severe is CVE-2025-34088?
CVE-2025-34088 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-34088?
Check the references section above for vendor advisories and patch information. Affected products include: Pandorafms Pandora Fms.