CVE-2021-41282

HIGH NUCLEI

pfSense Diag Routes Web Shell Upload

Title source: metasploit

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-41282. PoCs published by Abdel Adim, Oisfi of Shielder, jbaines-r7, including Metasploit module exploits/unix/http/pfsense_diag_routes_webshell. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2021-41282, an arbitrary file creation vulnerability in pfSense's HTTP interface, allowing authenticated users with specific privileges to upload a PHP web shell and execute commands with root privileges.

Description

diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Abdel Adim, Oisfi of Shielder, jbaines-r7 · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pfsense_diag_routes_webshell.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2021-41282, an arbitrary file creation vulnerability in pfSense's HTTP interface, allowing authenticated users with specific privileges to upload a PHP web shell and execute commands with root privileges.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfSense <= 2.5.2

Auth required

Prerequisites: Authenticated access with 'WebCfg - Diagnostics: Routing tables' privilege · Network access to pfSense web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

pfSense - Arbitrary File Write

HIGHby cckuailong

Shodan: http.title:"pfsense - login"

FOFA: title="pfsense - login"

References (4)

Core 4

Core References

Third Party Advisory x_refsource_misc

https://www.shielder.it/advisories/

Exploit, Third Party Advisory x_refsource_misc

https://www.shielder.it/advisories/pfsense-remote-command-execution/

Release Notes, Third Party Advisory x_refsource_misc

https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/166208/pfSense-2.5.2-Shell-Upload.html

Scores

CVSS v3 8.8

EPSS 0.8711

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-74

Status published

Products (1)

pfsense/pfsense 2.5.2

Published Mar 01, 2022

Tracked Since Feb 18, 2026