QwikSec

Security Database

CVE

CWE

Training

CVE-2025-34088

Published: Jul 3, 2025

Modified: May 15, 2026

PUBLISHED

Description

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.

Vendor	Product	Versions
Artica ST	Pandora FMS	affected `0 - <= 7.0NG`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_ping_cmd_exec.rb

exploit

https://www.exploit-db.com/exploits/48334

exploit

https://www.rapid7.com/db/modules/exploit/linux/http/pandora_ping_cmd_exec/

third-party-advisory

https://github.com/pandorafms/pandorafms

product

https://vulncheck.com/advisories/pandora-fms-rce-via-ping

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.