vulnerability
pfSense: pfSense-SA-23_11.webgui: Authenticated Command Execution in the WebGUI
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Oct 31, 2023 | Nov 7, 2023 | Feb 18, 2025 |
Description
A potential authenticated arbitrary command execution vulnerability was found in
packet_capture.php, a component of the pfSense Plus and pfSense CE software GUI.
When performing a packet capture on packet_capture.php, the submitted POST
"count" or "length" values are not validated. Subsequently, the submitted values
are used in shell commands.
This problem is present on pfSense Plus version 23.05.1, pfSense CE version
2.7.0, and earlier versions of both.
Due to a lack of escaping on commands in the functions being called, it is
possible to execute arbitrary commands with a properly formatted submission
value for "count" or "length" in POST operations.
The user must be logged in and have sufficient privileges to access
either packet_capture.php.
Solution
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.