vulnerability
pfSense: pfSense-SA-22_02.webgui: Multiple vulnerabilities in the WebGUI
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Jan 12, 2022 | Oct 18, 2022 | May 12, 2026 |
Description
The diag_routes.php page in the pfSense CE and pfSense Plus software WebGUI
contains multiple vulnerabilities resulting from passing arbitrary user input in
the filter parameter as a pattern to the sed command. These problems are present
on pfSense CE version 2.5.2, pfSense Plus version 21.05.2, and earlier versions
of both.
The input passed to sed from the filter parameter was escaped to prevent direct
injection of shell commands but commands internal to sed patterns were still
possible (e.g. 'e', 'r', 'w'). By passing patterns to sed containing internal
sed command directives, the attacker could execute shell commands and read or
write arbitrary files.
An authenticated attacker with access the to affected page could execute
arbitrary shell commands, perform privilege escalation, information disclosure,
denial of service, or other negative outcomes.
Solution
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.