CVE-2014-125124

CVE-2014-125124

Information

CVE_ID              : CVE-2014-125124
Severity            : CRITICAL
Published        : 2025-07-31T15:15:34.913
LastModified  : 2025-07-31T18:42:37.870
Updated          : 2025-07-31T18:42:37.870
Status              : Awaiting Analysis

Descriptions:

An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which listens on TCP port 8023. The anyterm-module endpoint accepts unsanitized user input via the p parameter and directly injects it into a shell command, allowing arbitrary command execution as the pandora user. In certain versions (notably 4.1 and 5.0RC1), the pandora user can elevate privileges to root without a password using a chain involving the artica user account. This account is typically installed without a password and is configured to run sudo without authentication. Therefore, full system compromise is possible without any credentials.


Know Exploitability

Exploitability : False

Vendor Affected

CVE-2014-125124

V4.0

Score : 10.0
Severity : CRITICAL
Attack Vector : NETWORK
Attack Complexity : LOW
Privileges Required : NONE
User Interaction : NONE
Scope :
Confidentiality Impact :
Integrity Impact :
Availability Impact :
Exploitability :
Impact Score :

V3.1

V3.0

V2.0

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_fms_exec.rb

https://www.exploit-db.com/exploits/31518

https://www.vulncheck.com/advisories/pandora-fms-anyterm-unauth-command-injection

Vendor Product