CVE-2025-34088HIGH 8.8EPSS p91.3%

CVE-2025-34088CVE-2025-34088

Description

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS5.09% probability of exploitation · percentile 91.3% · 2026-06-18T12:00:27Z
Published2025-07-03
Last modified2025-09-16

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/pandorafms/pandorafms
  2. https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_ping_cmd_exec.rb
  3. https://vulncheck.com/advisories/pandora-fms-rce-via-ping
  4. https://www.exploit-db.com/exploits/48334
  5. https://www.rapid7.com/db/modules/exploit/linux/http/pandora_ping_cmd_exec/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-5306
CVE
CVE-2026-30809
CVE
CVE-2026-34186
CVE
CVE-2026-30807
CVE
CVE-2026-30806
CVE
CVE-2026-30813
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.