cbcvebase.
CVE-2025-5306
published 2025-06-27

CVE-2025-5306: Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.94%
97.1th percentile
Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778

Affected

2 ranges
VendorProductVersion rangeFixed in
articapandora_fms774 – 778
pandora_fmspandora_fms774 – 778

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pandora_fms_auth_netflow_rce.rb
  • Monitor HTTP requests to PandoraFMS Netflow configuration endpoints for OS command injection characters (e.g., semicolons, pipes, backticks, $() constructs) embedded in the 'directory' field parameter.
  • Exploitation requires valid credentials; alert on authenticated POST requests to Netflow settings modification endpoints followed by unusual child process spawning from the PandoraFMS web service process.
  • Confirm presence of Netflow binaries on the target system as a prerequisite for successful exploitation; monitor for unexpected execution of Netflow-related binaries with attacker-controlled arguments.
  • ·Affected versions are strictly PandoraFMS 774 through 778; verify the installed version before applying detections to avoid false positives on patched or out-of-range deployments.
  • ·Exploitation is authenticated, meaning attacker-controlled credentials are required; prioritize monitoring privileged or recently created PandoraFMS accounts as a lateral-movement or insider-threat vector.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.0HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:M/U:Green
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.