CVE-2014-125115

CVE-2014-125115 is a critical-severity vulnerability with a CVSS 4.0 base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-89.

Key facts

Description

An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.

Frequently asked questions

What is CVE-2014-125115?
An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution.
How severe is CVE-2014-125115?
CVE-2014-125115 has a CVSS 4.0 base score of 10.0, rated critical severity.
Is CVE-2014-125115 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (75th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2014-125115?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
Does CVE-2014-125115 have an EU (EUVD) identifier?
Yes. CVE-2014-125115 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2014-9806.
When was CVE-2014-125115 published?
CVE-2014-125115 was published on 2025-07-25 and last updated on 2026-06-17.

References

Other CWE-89 (SQL Injection) vulnerabilities

Browse all CWE-89 (SQL Injection) vulnerabilities →