CVE-2021-41282

HIGH NUCLEI

pfSense Diag Routes Web Shell Upload

Title source: metasploit

Description

diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Abdel Adim, Oisfi of Shielder, jbaines-r7 · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pfsense_diag_routes_webshell.rb

View Code ZIP pw:eip

Nuclei Templates (1)

pfSense - Arbitrary File Write

HIGHby cckuailong

Shodan: http.title:"pfsense - login"

FOFA: title="pfsense - login"

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/166208/pfSense-2.5.2-Shell-Upload.html

[Release Notes, Third Party Advisory] https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html

[Third Party Advisory] https://www.shielder.it/advisories/

[Exploit, Third Party Advisory] https://www.shielder.it/advisories/pfsense-remote-command-execution/

Scores

CVSS v3 8.8

EPSS 0.9127

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-74

Status published

Products (1)

pfsense/pfsense 2.5.2

Published Mar 01, 2022

Tracked Since Feb 18, 2026