Rapid7 Vulnerability & Exploit Database

Pandora FMS Events Remote Command Execution

Back to Search

Pandora FMS Events Remote Command Execution



This module exploits a vulnerability (CVE-2020-13851) in Pandora FMS versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 (and perhaps older versions) in order to execute arbitrary commands. This module takes advantage of a command injection vulnerability in the `Events` feature of Pandora FMS. This flaw allows users to execute arbitrary commands via the `target` parameter in HTTP POST requests to the `Events` function. After authenticating to the target, the module attempts to exploit this flaw by issuing such an HTTP POST request, with the `target` parameter set to contain the payload. If a shell is obtained, the module will try to obtain the local MySQL database password via a simple `grep` command on the plaintext `/var/www/html/pandora_console/include/config.php` file. Valid credentials for a Pandora FMS account are required. The account does not need to have admin privileges. This module has been successfully tested on Pandora 7.0 NG 744 running on CentOS 7 (the official virtual appliance ISO for this version).


  • Fernando Catoira
  • Julio Sanchez
  • Erik Wynter




x86, x64, cmd


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/pandora_fms_events_exec
msf exploit(pandora_fms_events_exec) > show targets
msf exploit(pandora_fms_events_exec) > set TARGET < target-id >
msf exploit(pandora_fms_events_exec) > show options
    ...show and set options...
msf exploit(pandora_fms_events_exec) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security