CVE-2016-10709

HIGH

pfSense < 2.2.6 - Authenticated OS Command Injection via Graph Parameter

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2016-10709. PoCs published by Security-Assessment.com, wetw0rk, Security-Assessment.com, Milton Valencia, Jared Stephens, including Metasploit module exploits/unix/http/pfsense_graph_injection_exec.

AI-analyzed exploit summary This exploit demonstrates command injection and XSS vulnerabilities in pfSense Community Edition <= 2.2.6. The command injection leverages octal encoding to bypass input validation and execute arbitrary commands as root via the `status_rrd_graph_img.php` endpoint. The XSS vulnerabilities allow stored and reflected attacks in multiple administrative interfaces.

Description

pfSense before 2.3 allows remote authenticated users to execute arbitrary OS commands via a '|' character in the status_rrd_graph_img.php graph parameter, related to _rrd_graph_img.php.

Exploits (4)

exploitdb WORKING POC

by Security-Assessment.com · textwebappsphp

https://www.exploit-db.com/exploits/39709

View Code ZIP pw:eip

This exploit demonstrates command injection and XSS vulnerabilities in pfSense Community Edition <= 2.2.6. The command injection leverages octal encoding to bypass input validation and execute arbitrary commands as root via the `status_rrd_graph_img.php` endpoint. The XSS vulnerabilities allow stored and reflected attacks in multiple administrative interfaces.

Classification

Working Poc 95%

Attack Type

Rce, Xss

Complexity

Moderate

Reliability

Reliable

Target: pfSense Community Edition <= 2.2.6

Auth required

Prerequisites: Authenticated non-administrative user access · Network access to the pfSense web interface

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application T1059.004 - Unix Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 75 stars

by wetw0rk · poc

https://github.com/wetw0rk/Exploit-Development

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2016-10709, targeting the HackSys Extreme Vulnerable Driver (HEVD) with a stack overflow vulnerability. The exploit includes shellcode for token stealing and privilege escalation on Windows 10 x64 systems.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: HackSys Extreme Vulnerable Driver (HEVD)

No auth needed

Prerequisites: Access to the vulnerable driver · Windows 10 x64 environment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Security-Assessment.com, Milton Valencia, Jared Stephens · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pfsense_graph_injection_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated remote command execution vulnerability in pfSense via the `graph` parameter in `status_rrd_graph_img.php`. It uploads a PHP payload and executes it as root by leveraging command injection.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfSense <= 2.2.6

Auth required

Prerequisites: Valid pfSense credentials · Network access to the pfSense web interface

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by s4squatch, h00die · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pfsense_group_member_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated remote command execution vulnerability in pfSense versions <= 2.3.1_1 via command injection in the system_groupmanager.php page. It leverages CSRF token extraction and session management to execute arbitrary commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfSense <= 2.3.1_1

Auth required

Prerequisites: Valid credentials for pfSense web interface · Network access to the pfSense management interface

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_graph_injection_exec

Exploit, Third Party Advisory x_refsource_misc

https://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39709/

Vendor Advisory x_refsource_misc

https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc

Scores

CVSS v3 8.8

EPSS 0.3425

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

pfsense/pfsense < 2.2.6

Published Jan 22, 2018

Tracked Since Feb 18, 2026