Directory Traversal Weakness in pfSense CE by Netgate
CVE-2025-53392

5MEDIUM

Key Information:

Vendor: Netgate
Status: Pfsense
Vendor: CVE Published:; 28 June 2025

What is CVE-2025-53392?

In pfSense CE version 2.8.0, a directory traversal vulnerability exists in the 'WebCfg - Diagnostics: Command' privilege. This allows an attacker to read arbitrary files through the diag_command.php dlPath, potentially exposing sensitive information. Although the intended functionality is clarified in the product documentation and user interface, system administrators must remain vigilant about the permissions granted at this privilege level.

Affected Version(s)

pfSense 2.8.0

References

https://github.com/skraft9/pfsense-security-research

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 28, 2025
Vulnerability Reserved
Jun 28, 2025