CVE-2024-11320

CRITICAL NUCLEI

Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password

Title source: metasploit

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-11320. PoCs published by mhaskar, including Metasploit module exploits/linux/http/pandora_fms_auth_rce_cve_2024_11320. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-11320, targeting Pandora FMS v7.0NG.777.3. The exploit leverages an authentication bypass via LDAP configuration manipulation to achieve remote code execution by injecting a malicious payload into the 'ldap_admin_login' field.

Description

Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS: from 700 through <=777.4

Exploits (2)

nomisec WORKING POC 9 stars

by mhaskar · poc

https://github.com/mhaskar/CVE-2024-11320

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-11320, targeting Pandora FMS v7.0NG.777.3. The exploit leverages an authentication bypass via LDAP configuration manipulation to achieve remote code execution by injecting a malicious payload into the 'ldap_admin_login' field.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pandora FMS v7.0NG.777.3 Andromeda - FREE

Auth required

Prerequisites: Valid credentials for initial authentication · Network access to the target Pandora FMS instance · Listener setup for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pandora_fms_auth_rce_cve_2024_11320.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2024-11320, a command injection vulnerability in Pandora FMS's LDAP authentication mechanism. It leverages default MySQL credentials to create an admin user, then injects commands via misconfigured LDAP settings to achieve RCE.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Pandora FMS (7.0NG.718 through 7.0NG.777.4)

Auth required

Prerequisites: MySQL service exposed with default credentials · Admin access to Pandora FMS web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Pandora v7.0NG.777.3 - Remote Code Execution

CRITICALby DhiyaneshDK,Shubham Rooter,pdresearch,iamnoooob

Shodan: http.html:"pandora fms - installation wizard" || http.title:"pandora fms"

FOFA: body="pandora fms - installation wizard" || title="pandora fms"

References (1)

Core 1

Core References

Vendor Advisory

https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/

Scores

CVSS v3 9.8

EPSS 0.9051

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-77

Status published

Products (1)

pandorafms/pandora_fms 700 - 777.5

Published Nov 21, 2024

Tracked Since Feb 18, 2026