CVE-2020-13851
published 2020-06-11CVE-2020-13851: Artica Pandora FMS 7.44 allows remote command execution via the events feature.
PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
91.09%
99.8th percentile
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pandorafms | pandora_fms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/pandora_console/ajax.php?page=include/ajax/events&perform_event_response=10000000&target=cat+/etc/passwd&response_id=1↗
- →Exploit targets the `target` parameter in HTTP POST requests to the Events function (`ajax.php?page=include/ajax/events`). Monitor for POST requests to this endpoint with shell metacharacters or commands in the `target` parameter. ↗
- →The exploit uses `perform_event_response=10000000` and `response_id=1` as fixed query parameters alongside the injected `target` parameter. These static values can be used as a detection signature. ↗
- →The Nuclei template detects successful exploitation by matching `root:.*:0:0:` in the HTTP response body, indicating /etc/passwd was read via command injection. ↗
- →Post-exploitation, the Metasploit module greps the plaintext config file for MySQL credentials. Monitor for unexpected reads of `/var/www/html/pandora_console/include/config.php` by web server processes. ↗
- →Shodan/FOFA queries `title:"Pandora FMS"` and `title="pandora fms"` can be used to identify exposed Pandora FMS instances for proactive asset discovery. ↗
- ·Valid credentials for a Pandora FMS account are required to exploit CVE-2020-13851; the account does NOT need admin privileges, lowering the bar for exploitation. ↗
- ·The vulnerability affects Pandora FMS versions 7.0 NG 742, 743, and 744 and potentially older versions. ↗
- ·The Nuclei template is marked as requiring authentication context (EPSS 0.93952 / 99.885th percentile), indicating very high exploitation probability in the wild. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rm46-c34m-6jvf: Artica Pandora FMS 7
ghsa_unreviewed·2022-05-24
CVE-2020-13851 [HIGH] CWE-74 GHSA-rm46-c34m-6jvf: Artica Pandora FMS 7
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
VulnCheck
pandorafms pandora_fms Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 8.8
CVE-2020-13851 [HIGH] pandorafms pandora_fms Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
pandorafms pandora_fms Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
Affected: pandorafms pandora_fms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2020-13851
No detection rules found.
Metasploit
Pandora FMS Events Remote Command Execution
metasploit·CVSS 8.8
CVE-2020-13851 [HIGH] Pandora FMS Events Remote Command Execution
Pandora FMS Events Remote Command Execution
This module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `Events` feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the `target` parameter in HTTP POST requests to the `Events` function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the `target` parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple `grep` command on the plaintext `/var/www/html/pandora_console/i
Nuclei
Artica Pandora FMS 7.44 - Remote Code Execution
nuclei·CVSS 8.8
CVE-2020-13851 [HIGH] Artica Pandora FMS 7.44 - Remote Code Execution
Artica Pandora FMS 7.44 - Remote Code Execution
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
Template:
id: CVE-2020-13851
info:
name: Artica Pandora FMS 7.44 - Remote Code Execution
author: theamanrawat
severity: high
description: |
Artica Pandora FMS 7.44 allows remote command execution via the events feature.
impact: |
Unauthenticated attackers can execute arbitrary system commands via the events feature, leading to complete server compromise and access to all monitoring data.
remediation: |
Upgrade to Pandora FMS version 7.45 or later, or apply vendor-provided security patches.
reference:
- https://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-13851
- https://ww
CTF
Pandora / README
ctf_writeups·CVSS 8.8
[HIGH] Pandora / README
# Pandora - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we begin by enumerating open services using ```namp``` – finding ports ```22```, ```80``` and ```161``` (UDP).
***User 1***: By scanning for UDP ports we found port ```161``` which is ```SNMP``` service, By running ```snmp-check``` we found a running process which contains the credentials of ```daniel``` user.
***User 2***: By enumerating we found another web page called ```pandora_console```, We found that the file ```chart_generator.php``` vulnerable to SQLi, Using that we got the credentials of ```matt``` user to ```pandora_console```, Using CVE-2020-13851 we get a reverse shell as ```matt``` user.
***Root***: By enumerating we found binary ```/usr/bin/pandora_backup``` with
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
http://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.htmlhttps://www.coresecurity.com/advisorieshttps://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilitieshttp://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.htmlhttps://www.coresecurity.com/advisorieshttps://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities
2020-06-11
Published
Exploited in the wild