CVE-2014-125115

CRITICAL

Pandora FMS <5.0 SP2 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2014-125115. PoCs published by Metasploit, including Metasploit module exploits/linux/http/pandora_fms_sqli.

AI-analyzed exploit summary This Metasploit module exploits SQL injection and authentication bypass vulnerabilities in Pandora FMS to achieve remote code execution. It first attempts default credentials, then extracts password hashes via SQLi if authentication fails.

Description

An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/35380

View Code ZIP pw:eip

This Metasploit module exploits SQL injection and authentication bypass vulnerabilities in Pandora FMS to achieve remote code execution. It first attempts default credentials, then extracts password hashes via SQLi if authentication fails.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pandora FMS version <= 5.0 SP2

No auth needed

Prerequisites: Network access to the target · Pandora FMS web interface exposed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pandora_fms_sqli.rb

View Code ZIP pw:eip

This Metasploit module exploits a SQL injection vulnerability in Pandora FMS to extract credentials and achieve remote code execution. It first attempts default credentials, then leverages SQLi to extract password hashes if authentication fails.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Pandora FMS version <= 5.0 SP2

No auth needed

Prerequisites: Network access to the target · Pandora FMS instance with vulnerable version

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources vendor-advisory

https://web.archive.org/web/20140331231237/http://pandorafms.com/downloads/whats_new_5-SP3.pdf

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/35380

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/pandora_fms_sqli.rb

Various Sources vendor-advisory

https://web.archive.org/web/20140304121149/http://blog.pandorafms.org/?p=2041

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/pandora-fms-default-creds-sqli-rce

Scores

CVSS v4 10.0

EPSS 0.0208

EPSS Percentile 79.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-798 CWE-89

Status published

Products (1)

Artica ST/Pandora FMS < 5.0 SP2

Published Jul 25, 2025

Tracked Since Feb 18, 2026