CVE-2014-125124

EPSS 45.41%
Published 31.07.2025 15:15:34
Last modified 31.07.2025 18:42:37
Source disclosure@vulncheck.com
Teams watchlist Login
Open Login

An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which listens on TCP port 8023. The anyterm-module endpoint accepts unsanitized user input via the p parameter and directly injects it into a shell command, allowing arbitrary command execution as the pandora user. In certain versions (notably 4.1 and 5.0RC1), the pandora user can elevate privileges to root without a password using a chain involving the artica user account. This account is typically installed without a password and is configured to run sudo without authentication. Therefore, full system compromise is possible without any credentials.

Affected products Warnungen 0 Metrics 2 CWE 2 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorArtica ST

≫

Product Pandora FMS

Default Statusunaffected

Version <= 5.0RC1

Version *

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	45.41%	0.974

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
disclosure@vulncheck.com	10	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_fms_exec.rb

https://www.exploit-db.com/exploits/31518

https://www.vulncheck.com/advisories/pandora-fms-anyterm-unauth-command-injection

https://nvd.nist.gov/vuln/detail/CVE-2014-125124

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-125124

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-125124

EUVD