CVE-2025-34088

Name of the Vulnerable Software and Affected Versions: Pandora FMS versions 7.0NG and earlier

Description: An authenticated remote code execution issue exists, allowing authenticated users to execute arbitrary OS commands via the select ips parameter in the "net tools.php" functionality when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.

Recommendations: For Pandora FMS versions 7.0NG and earlier, as a temporary workaround, consider disabling the net tools.php functionality until a patch is available. Restrict access to the net tools.php module to minimize the risk of exploitation. Avoid using the select ips parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.