Command Injection Vulnerability in pfSense Web Interface
CVE-2016-10709

8.8HIGH

Key Information:

Vendor: Pfsense
Status: Pfsense
Vendor: CVE Published:; 22 January 2018

Badges

👾 Exploit Exists🟣 EPSS 78%

What is CVE-2016-10709?

A command injection vulnerability exists in the pfSense web interface, which allows remote authenticated users to execute arbitrary operating system commands. This occurs due to improper handling of the '|' character in the status_rrd_graph_img.php graph parameter, linked to the _rrd_graph_img.php file. Exploiting this vulnerability could enable attackers to manipulate system-level commands, potentially affecting the security and functionality of the pfSense system.

References

https://www.rapid7.com/db/modules/exploit/unix/http/pfsen...

x_refsource_MISC

https://www.security-assessment.com/files/documents/advis...

x_refsource_MISC

https://www.exploit-db.com/exploits/39709/

exploitx_refsource_EXPLOIT-DB

EPSS Score

78% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2018
Vulnerability Reserved
Jan 21, 2018
🟡
Public PoC available
Apr 26, 2017
👾
Exploit known to exist
Apr 26, 2017

Pfsense

Badges

What is CVE-2016-10709?

References

EPSS Score

CVSS V3.1

Timeline