CVE-2014-125115
published 2025-07-25CVE-2014-125115: An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user…
PriorityP273critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.72%
74.6th percentile
An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artica_st | pandora_fms | <= 5.0 SP2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to mobile/index.php for SQL injection patterns in the loginhash_data parameter (e.g., quotes, UNION SELECT, comment sequences). ↗
- →Alert on PHP file uploads to the Pandora FMS File Manager component, especially files with .php extensions being written to publicly accessible directories, which may indicate web shell deployment following authentication bypass. ↗
- →Detect exploitation attempts that first try default credentials, then fall back to SQL injection against the Auto Login hash or administrator MD5 password hash — a two-stage pattern characteristic of this exploit chain. ↗
- →Correlate successful logins to Pandora FMS shortly after anomalous SQL injection attempts against mobile/index.php — this sequence indicates credential extraction followed by authentication bypass. ↗
- ·The SQL injection is only exploitable on Pandora FMS version 5.0 SP2 and earlier; patched or newer versions are not affected. ↗
- ·The Auto Login hash extraction path is only triggered if the Auto Login feature is configured; otherwise the module falls back to extracting the MD5 administrator password hash. Detection logic should account for both sub-variants. ↗
- ·The file upload RCE stage requires prior authentication (via default credentials or the extracted hash); detections for the upload stage should be scoped to authenticated sessions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_fms_sqli.rbhttps://web.archive.org/web/20140304121149/http://blog.pandorafms.org/?p=2041https://web.archive.org/web/20140331231237/http://pandorafms.com/downloads/whats_new_5-SP3.pdfhttps://www.exploit-db.com/exploits/35380https://www.vulncheck.com/advisories/pandora-fms-default-creds-sqli-rce
2025-07-25
Published