module

Pandora ITSM authenticated command injection leading to RCE via the backup function

Try Surface Command
Back to search
Disclosed
Jun 10, 2025
Created
Aug 7, 2025

Description

Pandora ITSM is a platform for Service Management & Support including a Helpdesk for support
and customer service teams, aligned with ITIL processes.
This module exploits a command injection vulnerability in the `name` backup setting at the
application setup page of Pandora ITSM. This can be triggered by generating a backup with a
malicious payload injected at the `name` parameter.
You need to have admin access at the Pandora ITSM Web application in order to execute this RCE.
This access can be achieved by knowing the admin credentials to access the web application or
leveraging a default password vulnerability in Pandora ITSM that allows an attacker to access
the Pandora FMS ITSM database, create a new admin user and gain administrative access to the
Pandora ITSM Web application. This attack can be remotely executed over the WAN as long as the
MySQL services are exposed to the outside world.
This issue affects all ITSM Enterprise editions up to `5.0.105` and is patched at `5.0.106`.

Author

h00die-gr3y [email protected]

Platform

Linux,Unix

Architectures

cmd

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/linux/http/pandora_itsm_auth_rce_cve_2025_4653
    msf exploit(pandora_itsm_auth_rce_cve_2025_4653) > show targets
        ...targets...
    msf exploit(pandora_itsm_auth_rce_cve_2025_4653) > set TARGET < target-id >
    msf exploit(pandora_itsm_auth_rce_cve_2025_4653) > show options
        ...show and set options...
    msf exploit(pandora_itsm_auth_rce_cve_2025_4653) > exploit
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report