What is the CVSS score of CVE-2025-34088?

CVE-2025-34088 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 49.7%.

Which versions of PHP are affected by CVE-2025-34088?

Organizations using Pandora FMS face significant risk from CVE-2025-34088, a OS command injection vulnerability rated CVSS 8.8.

Is there a public PoC exploit available for CVE-2025-34088?

Yes, a public proof-of-concept exploit is available for CVE-2025-34088. Prioritise patching immediately. EPSS: 49.7%.

How to fix or mitigate CVE-2025-34088?

Within 24 hours: Identify all affected systems running Pandora FMS and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

PHP CVE-2025-34088

EUVD-2025-19903 HIGH

OS Command Injection (CWE-78)

2025-07-03 disclosure@vulncheck.com

PHP RCE Command Injection Pandora Fms

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 02:12 euvd

EUVD-2025-19903

Analysis Generated

Mar 16, 2026 - 02:12 vuln.today

PoC Detected

Sep 16, 2025 - 19:44 vuln.today

Public exploit code

CVE Published

Jul 03, 2025 - 20:15 nvd

HIGH 8.8

DescriptionNVD

An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection.

Analysis

Technical ContextAI

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells. This vulnerability is classified as OS Command Injection (CWE-78).

RemediationAI

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

CVE-2025-34088 vulnerability details – vuln.today

Back

PHP CVE-2025-34088

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code