cbcvebase.
CVE-2014-125124
published 2025-07-31

CVE-2014-125124: An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which…

PriorityP181critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.84%
76.4th percentile
An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which listens on TCP port 8023. The anyterm-module endpoint accepts unsanitized user input via the p parameter and directly injects it into a shell command, allowing arbitrary command execution as the pandora user. In certain versions (notably 4.1 and 5.0RC1), the pandora user can elevate privileges to root without a password using a chain involving the artica user account. This account is typically installed without a password and is configured to run sudo without authentication. Therefore, full system compromise is possible without any credentials.

Affected

1 ranges
VendorProductVersion rangeFixed in
artica_stpandora_fms<= 5.0RC1

Detection & IOCsextracted from sources · hover to see the quote

port8023/TCP
url/anyterm-module
otherp
  • Monitor for unauthenticated HTTP requests to the /anyterm-module endpoint on port 8023/TCP, particularly those with shell metacharacters or command injection payloads in the 'p' parameter.
  • Alert on process execution chains where the 'pandora' user spawns a shell or executes 'su artica', followed by 'sudo' commands — indicative of the privilege escalation chain to root.
  • Detect inbound connections to TCP port 8023 from external/untrusted sources on Pandora FMS hosts, as this port exposes the vulnerable Anyterm service.
  • ·The vulnerability affects all Pandora FMS versions up to and including 5.0RC1; detections should be scoped accordingly and not assumed to apply to patched/later releases.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.