CVE-2025-34088
An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows
CVSS
8.8
High
EPSS
5.1%
p91
KEV
—
Exploit Today
27
0-100
Published: Jul 3, 2025 · Last modified: Jul 14, 2026 · CWE-78
5.1%EPSS · 30 days5.1%
2026-06-302026-07-16
An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.
- github.comhttps://github.com/pandorafms/pandorafms
- raw.githubusercontent.comhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_ping_cmd_exec.rb
- vulncheck.comhttps://vulncheck.com/advisories/pandora-fms-rce-via-ping
- www.exploit-db.comhttps://www.exploit-db.com/exploits/48334
- www.rapid7.comhttps://www.rapid7.com/db/modules/exploit/linux/http/pandora_ping_cmd_exec/
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-341978.8 HIG99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability2dCVE-2024-121210.0 CRI99.9%
KEV—80Progress Kemp LoadMaster OS Command Injection Vulnerability3dCVE-2022-262589.8 CRI99.6%
KEV—80D-Link DIR-820L Remote Code Execution Vulnerability7dCVE-2026-422718.8 HIG99.6%
KEV—80BerriAI LiteLLM Command Injection Vulnerability2dCVE-2021-252988.8 HIG99.5%
KEV—80Nagios XI OS Command Injection7dCVE-2021-252978.8 HIG98.9%
KEV—80Nagios XI OS Command Injection7d