vulnerability
pfSense: pfSense-SA-23_06.webgui: Authenticated Command Execution in the WebGUI
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | May 11, 2023 | Jun 23, 2023 | Feb 18, 2025 |
Description
A potential authenticated arbitrary command execution vulnerability was found in
interfaces_bridge_edit.php, a component of the pfSense Plus and pfSense CE
software GUI.
When creating or editing a bridge interface on interfaces_bridge_edit.php, the
submitted POST "bridgeif" value is used before it is validated. Subsequently,
that function calls others which in turn use the submitted interface name in
shell commands.
Due to a lack of escaping on commands in the functions being called, it is
possible to execute arbitrary commands with a properly formatted submission
value for "bridgeif" in POST operations.
This problem is present on pfSense Plus version 23.01, pfSense CE version
2.6.0, and earlier versions of both.
A user with sufficient privileges to access interfaces_bridge_edit.php may be
able to execute arbitrary shell commands.
Solution
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.