CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
CVE-2025-4653: Remote Code Execution leads to Command Injection
7.0
CVSS
Description
Improper Neutralization of Special Elements in the backup name field may allow OS command injection. This issue affects Pandora ITSM 5.0.105.
Classification
CVE ID: CVE-2025-4653
CVSS Base Severity: HIGH
CVSS Base Score: 7.0
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:N/R:U/V:D/RE:M/U:Green
Problem Types
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')Affected Products
Vendor: Pandora FMS
Product: Pandora ITSM
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.57% (probability of being exploited)
EPSS Percentile: 67.45% (scored less or equal to compared to others)
EPSS Date: 2025-06-20 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: total
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2025-4653https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/