CVE-2024-12971
published 2025-03-17CVE-2024-12971: Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6
PriorityP277high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
59.42%
99.0th percentile
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection.This issue affects Pandora FMS from 700 to 777.6
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artica | pandora_fms | >= 700 < 777.8 | 777.8 |
| pandora_fms | pandora_fms | 700 – 777.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandchromium_path=<payload with ; ` | or $>
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in Chromium-path (CVE-2024-12971)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pandora_console/index.php?"; fast_pattern; content:"sec|3d|gsetup"; content:"section|3d|general"; http.request_body; content:"chromium_path|3d|"; pcre:"/^[^\x26\x0d]*?[\x3b\x60\x7c\x24]/R"; reference:url,attackerkb.com/topics/BJe14wkMYS/cve-2024-12971; reference:cve,2024-12971; classtype:web-application-attack; sid:2061008; rev:1; metadata:attack_target Server, created_at 2025_03_21, cve CVE_2024_12971, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets the Pandora FMS application settings page via HTTP POST to /pandora_console/index.php with sec=gsetup§ion=general, injecting OS commands into the chromium_path or phantomjs_bin parameter body fields using shell metacharacters (;, `, |, $). ↗
- →Detect POST requests to /pandora_console/index.php?sec=gsetup§ion=general where the request body contains 'chromium_path=' followed by shell injection metacharacters (0x3b=;, 0x60=`, 0x7c=|, 0x24=$) before an ampersand or CR — matches ET SID 2061008.
- →Attacker may first abuse default MySQL credentials to create a new admin user in the Pandora FMS database before exploiting the command injection — look for unexpected MySQL connections from external IPs followed by new admin account creation in Pandora FMS logs. ↗
- →For versions <= v7.0NG.738, the Metasploit module uses a 'Tiny Reverse Netcat Command' payload — monitor for outbound netcat-style reverse shell connections from the Pandora FMS host after exploitation. ↗
- →The attack can be executed remotely over WAN if MySQL is internet-exposed — flag any external access to MySQL ports on Pandora FMS hosts as a precursor indicator. ↗
- ·The chromium_path injection vector applies to Pandora FMS v7.0NG.768 through v7.0NG.780; the phantomjs_bin injection vector applies to v7.0NG.724 through v7.0NG.767. Detection rules and hunting queries should account for both parameters depending on the target version. ↗
- ·Exploitation requires authenticated admin access to the Pandora FMS web application — unauthenticated detections alone are insufficient; correlate with prior authentication events or credential abuse. ↗
- ·The ET Snort rule (SID 2061008) only covers the chromium_path injection vector; a separate rule or manual hunt is needed for the phantomjs_bin parameter.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Green
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in Chromium-path (CVE-2024-12971)
suricata·2025-03-21·CVSS 8.6
CVE-2024-12971 [HIGH] ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in Chromium-path (CVE-2024-12971)
ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in Chromium-path (CVE-2024-12971)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in Chromium-path (CVE-2024-12971)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pandora_console/index.php?"; fast_pattern; content:"sec|3d|gsetup"; content:"section|3d|general"; http.request_body; content:"chromium_path|3d|"; pcre:"/^[^\x26\x0d]*?[\x3b\x60\x7c\x24]/R"; reference:url,attackerkb.com/topics/BJe14wkMYS/cve-2024-12971; reference:cve,2024-12971; classtype:web-application-attack; sid:2061008; rev:1; metadata:attack_target Server, created_at 2025_03_21, cve CVE_2024_12971, deployment Perimeter, deployment Internal, confidence High, signature_severity Ma
No writeups or analysis indexed.
2025-03-17
Published