CVE-2014-125115
Pandora FMS ≤ 5.0 SP2 Default Credential SQL Injection RCE
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Pandora FMS ≤ 5.0 SP2 Default Credential SQL Injection RCE
An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.
Reserved 2025-07-24 | Published 2025-07-25 | Updated 2025-07-25 | Assigner VulnCheckCWE-798 Use of Hard-coded Credentials
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Lincoln
www.exploit-db.com/exploits/35380
raw.githubusercontent.com/.../linux/http/pandora_fms_sqli.rb
web.archive.org/...dorafms.com/downloads/whats_new_5-SP3.pdf
web.archive.org/...121149/http://blog.pandorafms.org/?p=2041
www.vulncheck.com/...ries/pandora-fms-default-creds-sqli-rce
nvd.nist.gov (CVE-2014-125115)
Support options
