CVE-2025-4653
HIGHPandora ITSM authenticated command injection leading to RCE via the backup function
Title source: metasploitDescription
Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
Exploits (1)
metasploit
WORKING POC
EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb
Scores
CVSS v4
7.0
EPSS
0.6387
EPSS Percentile
98.4%
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/R:U/V:D/RE:M/U:Green
Details
CWE
CWE-77
Status
published
Products (1)
Pandora FMS/Pandora ITSM
5.0.105 - 5.0.106
Published
Jun 10, 2025
Tracked Since
Feb 18, 2026