cbcvebase.
CVE-2024-12971
published 2025-03-17

CVE-2024-12971: Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6

PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
59.42%
99.0th percentile
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6

Affected

2 ranges
VendorProductVersion rangeFixed in
articapandora_fms>= 700 < 777.8777.8
pandora_fmspandora_fms700 – 777.6

Detection & IOCsextracted from sources · hover to see the quote

url/pandora_console/index.php?sec=gsetup&section=general
path/pandora_console/index.php
commandchromium_path=<payload with ; ` | or $>
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in Chromium-path (CVE-2024-12971)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pandora_console/index.php?"; fast_pattern; content:"sec|3d|gsetup"; content:"section|3d|general"; http.request_body; content:"chromium_path|3d|"; pcre:"/^[^\x26\x0d]*?[\x3b\x60\x7c\x24]/R"; reference:url,attackerkb.com/topics/BJe14wkMYS/cve-2024-12971; reference:cve,2024-12971; classtype:web-application-attack; sid:2061008; rev:1; metadata:attack_target Server, created_at 2025_03_21, cve CVE_2024_12971, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets the Pandora FMS application settings page via HTTP POST to /pandora_console/index.php with sec=gsetup&section=general, injecting OS commands into the chromium_path or phantomjs_bin parameter body fields using shell metacharacters (;, `, |, $).
  • Detect POST requests to /pandora_console/index.php?sec=gsetup&section=general where the request body contains 'chromium_path=' followed by shell injection metacharacters (0x3b=;, 0x60=`, 0x7c=|, 0x24=$) before an ampersand or CR — matches ET SID 2061008.
  • Attacker may first abuse default MySQL credentials to create a new admin user in the Pandora FMS database before exploiting the command injection — look for unexpected MySQL connections from external IPs followed by new admin account creation in Pandora FMS logs.
  • For versions <= v7.0NG.738, the Metasploit module uses a 'Tiny Reverse Netcat Command' payload — monitor for outbound netcat-style reverse shell connections from the Pandora FMS host after exploitation.
  • The attack can be executed remotely over WAN if MySQL is internet-exposed — flag any external access to MySQL ports on Pandora FMS hosts as a precursor indicator.
  • ·The chromium_path injection vector applies to Pandora FMS v7.0NG.768 through v7.0NG.780; the phantomjs_bin injection vector applies to v7.0NG.724 through v7.0NG.767. Detection rules and hunting queries should account for both parameters depending on the target version.
  • ·Exploitation requires authenticated admin access to the Pandora FMS web application — unauthenticated detections alone are insufficient; correlate with prior authentication events or credential abuse.
  • ·The ET Snort rule (SID 2061008) only covers the chromium_path injection vector; a separate rule or manual hunt is needed for the phantomjs_bin parameter.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Green
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.