Command Injection Vulnerability in Netgate pfSense
CVE-2023-27253

8.8HIGH

Key Information:

Vendor: Netgate
Status: Pfsense
Vendor: CVE Published:; 17 March 2023

What is CVE-2023-27253?

In Netgate pfSense version 2.7.0, a vulnerability exists in the restore_rrddata() function that allows authenticated attackers to execute arbitrary commands. This can be achieved by manipulating the contents of a specially crafted XML file, specifically the component config.xml. Exploitation of this vulnerability could lead to unauthorized command execution within the affected system.

References

https://redmine.pfsense.org/issues/13935

https://github.com/pfsense/pfsense/commit/ca80d18493f8f91...

http://packetstormsecurity.com/files/173487/pfSense-Resto...

EPSS Score

78% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 17, 2023
Vulnerability Reserved
Feb 27, 2023