cbcvebase.
CVE-2025-4653
published 2025-06-10

CVE-2025-4653: Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.

PriorityP343high7CVSS 4.0
AVNACLATNPRHUINVCHVILVALSCLSILSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSNAUNRUVDREMUGreen
EXPLOIT
EPSS
2.41%
82.0th percentile
Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.

Affected

1 ranges
VendorProductVersion rangeFixed in
pandora_fmspandora_itsm>= 5.0.105 < 5.0.1065.0.106

Detection & IOCsextracted from sources · hover to see the quote

url/pandora_itsm/index.php?sec=setup&sec2=operation/setup/setup&section=backup
versionPandora ITSM <= 5.0.105
  • Monitor HTTP POST requests to the Pandora ITSM backup setup endpoint for shell metacharacters or command injection payloads in the `name` parameter (e.g., semicolons, backticks, $(), pipes).
  • Alert on externally exposed MySQL services associated with Pandora FMS/ITSM, as attackers may leverage default credentials to create rogue admin users prior to exploiting the RCE.
  • Detect unexpected child processes (e.g., sh, bash, curl, wget) spawned from the Pandora ITSM web application process, which may indicate successful OS command injection via the backup name field.
  • ·Exploitation requires authenticated admin access to the Pandora ITSM web application. Restricting admin account access and enforcing strong/non-default credentials reduces the attack surface significantly.
  • ·Exposing MySQL (default port 3306) to the WAN enables a two-stage attack: first compromising the database to create an admin user, then exploiting the RCE. MySQL should not be internet-facing.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.