CVE-2024-12992
published 2025-03-17CVE-2024-12992: Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE. This issue affects Pandora FMS from 700 to…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.26%
65.9th percentile
Improper Neutralization of Special Elements used in a Command vulnerability allows OS Command Injection via RCE.
This issue affects Pandora FMS from 700 to 777.6
.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artica | pandora_fms | >= 700 < 777.8 | 777.8 |
| pandora_fms | pandora_fms | 768 – 780 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/pandora_console/index.php?
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in goTTY QuickShell (CVE-2024-12992)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pandora_console/index.php?"; fast_pattern; content:"sec|3d|gsetup"; content:"section|3d|quickshell"; http.request_body; content:"port|3d|"; pcre:"/^[^\x26\x0d]*?[\x3b\x60\x7c\x24]/R"; reference:url,attackerkb.com/topics/Aua29E9XcB/cve-2024-12992; reference:cve,2024-12992; classtype:web-application-attack; sid:2061009; rev:1; metadata:attack_target Server, created_at 2025_03_21, cve CVE_2024_12992, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests use HTTP POST method targeting the PandoraFMS console endpoint with query parameters sec=gsetup and section=quickshell, indicating abuse of the goTTY QuickShell feature.
- →OS command injection payload is delivered in the HTTP request body within the 'port' parameter; look for shell metacharacters (semicolon 0x3b, backtick 0x60, pipe 0x7c, dollar sign 0x24) immediately following the port value.
- →MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190). Deploy detection at both Perimeter and Internal network boundaries.
- ·Affected versions span a wide range (700 to 777.6); ensure version fingerprinting is in place to prioritize patching and scoping detection rules. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in goTTY QuickShell (CVE-2024-12992)
suricata·2025-03-21·CVSS 8.6
CVE-2024-12992 [HIGH] ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in goTTY QuickShell (CVE-2024-12992)
ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in goTTY QuickShell (CVE-2024-12992)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PandoraFMS OS Command Injection in goTTY QuickShell (CVE-2024-12992)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pandora_console/index.php?"; fast_pattern; content:"sec|3d|gsetup"; content:"section|3d|quickshell"; http.request_body; content:"port|3d|"; pcre:"/^[^\x26\x0d]*?[\x3b\x60\x7c\x24]/R"; reference:url,attackerkb.com/topics/Aua29E9XcB/cve-2024-12992; reference:cve,2024-12992; classtype:web-application-attack; sid:2061009; rev:1; metadata:attack_target Server, created_at 2025_03_21, cve CVE_2024_12992, deployment Perimeter, deployment Internal, confidence High, signature_severity Ma
No public exploits indexed.
No writeups or analysis indexed.
2025-03-17
Published