CVE-2020-13851

HIGH EXPLOITED NUCLEI

Pandora FMS Events Remote Command Execution

Title source: metasploit

Exploitation Summary

CVE-2020-13851 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including hadrian3689, Fernando Catoira, Julio Sanchez, Erik Wynter, including a Metasploit module exploits/linux/http/pandora_fms_events_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python-based exploit for CVE-2020-13851, targeting Pandora FMS 7.44. The exploit leverages authenticated remote code execution via the events feature, allowing command injection through a reverse shell payload.

Description

Artica Pandora FMS 7.44 allows remote command execution via the events feature.

Exploits (2)

nomisec WORKING POC

by hadrian3689 · poc

https://github.com/hadrian3689/pandorafms_7.44

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2020-13851, targeting Pandora FMS 7.44. The exploit leverages authenticated remote code execution via the events feature, allowing command injection through a reverse shell payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Pandora FMS 7.44

Auth required

Prerequisites: Valid credentials or a PHP session cookie · Network access to the target · Listener setup for reverse shell

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1078 - Valid Accounts T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Fernando Catoira, Julio Sanchez, Erik Wynter · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pandora_fms_events_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2020-13851, a command injection vulnerability in Pandora FMS's Events feature, allowing authenticated users to execute arbitrary commands via the `target` parameter in HTTP POST requests.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744

Auth required

Prerequisites: Valid credentials for a Pandora FMS account · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Artica Pandora FMS 7.44 - Remote Code Execution

HIGHVERIFIEDby theamanrawat

Shodan: title:"Pandora FMS" || http.title:"pandora fms"

FOFA: title="pandora fms"

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://www.coresecurity.com/advisories

Exploit, Third Party Advisory x_refsource_misc

https://www.coresecurity.com/core-labs/advisories/pandora-fms-community-multiple-vulnerabilities

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/158390/Pandora-FMS-7.0-NG-7XX-Remote-Command-Execution.html

Scores

CVSS v3 8.8

EPSS 0.9395

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2026-04-08

CWE

CWE-78

Status published

Products (1)

pandorafms/pandora_fms 7.44

Published Jun 11, 2020

Tracked Since Feb 18, 2026