CVE-2025-4653
published 2025-06-10CVE-2025-4653: Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
PriorityP343high7CVSS 4.0
AVNACLATNPRHUINVCHVILVALSCLSILSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSNAUNRUVDREMUGreen
EXPLOIT
EPSS
2.41%
82.0th percentile
Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pandora_fms | pandora_itsm | >= 5.0.105 < 5.0.106 | 5.0.106 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to the Pandora ITSM backup setup endpoint for shell metacharacters or command injection payloads in the `name` parameter (e.g., semicolons, backticks, $(), pipes). ↗
- →Alert on externally exposed MySQL services associated with Pandora FMS/ITSM, as attackers may leverage default credentials to create rogue admin users prior to exploiting the RCE. ↗
- →Detect unexpected child processes (e.g., sh, bash, curl, wget) spawned from the Pandora ITSM web application process, which may indicate successful OS command injection via the backup name field. ↗
- ·Exploitation requires authenticated admin access to the Pandora ITSM web application. Restricting admin account access and enforcing strong/non-default credentials reduces the attack surface significantly. ↗
- ·Exposing MySQL (default port 3306) to the WAN enables a two-stage attack: first compromising the database to create an admin user, then exploiting the RCE. MySQL should not be internet-facing. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-06-10
Published