cbcvebase.
CVE-2020-13851
published 2020-06-11

CVE-2020-13851: Artica Pandora FMS 7.44 allows remote command execution via the events feature.

PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
91.09%
99.8th percentile
Artica Pandora FMS 7.44 allows remote command execution via the events feature.

Affected

1 ranges
VendorProductVersion rangeFixed in
pandorafmspandora_fms

Detection & IOCsextracted from sources · hover to see the quote

url/pandora_console/ajax.php?page=include/ajax/events&perform_event_response=10000000&target=cat+/etc/passwd&response_id=1
path/var/www/html/pandora_console/include/config.php
path/pandora_console/include/chart_generator.php
path/pandora_console/ajax.php
  • Exploit targets the `target` parameter in HTTP POST requests to the Events function (`ajax.php?page=include/ajax/events`). Monitor for POST requests to this endpoint with shell metacharacters or commands in the `target` parameter.
  • The exploit uses `perform_event_response=10000000` and `response_id=1` as fixed query parameters alongside the injected `target` parameter. These static values can be used as a detection signature.
  • The Nuclei template detects successful exploitation by matching `root:.*:0:0:` in the HTTP response body, indicating /etc/passwd was read via command injection.
  • Post-exploitation, the Metasploit module greps the plaintext config file for MySQL credentials. Monitor for unexpected reads of `/var/www/html/pandora_console/include/config.php` by web server processes.
  • Shodan/FOFA queries `title:"Pandora FMS"` and `title="pandora fms"` can be used to identify exposed Pandora FMS instances for proactive asset discovery.
  • ·Valid credentials for a Pandora FMS account are required to exploit CVE-2020-13851; the account does NOT need admin privileges, lowering the bar for exploitation.
  • ·The vulnerability affects Pandora FMS versions 7.0 NG 742, 743, and 744 and potentially older versions.
  • ·The Nuclei template is marked as requiring authentication context (EPSS 0.93952 / 99.885th percentile), indicating very high exploitation probability in the wild.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.