CVE-2022-31814

Exploitation Summary

CVE-2022-31814 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 11 public exploits from researchers including IHTeam, Laburity, EvergreenCartoons, including a Metasploit module exploits/unix/http/pfsense_pfblockerng_webshell. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in pfBlockerNG via the Host header to upload a PHP shell, achieving unauthenticated remote code execution. The shell is then used to execute arbitrary commands on the target system.

Description

pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.

Exploits (11)

exploitdb WORKING POC

by IHTeam · pythonwebappsphp

https://www.exploit-db.com/exploits/51032

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in pfBlockerNG via the Host header to upload a PHP shell, achieving unauthenticated remote code execution. The shell is then used to execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: pfBlockerNG <= 2.1.4_26

No auth needed

Prerequisites: Target must have pfBlockerNG installed and accessible · Python3 environment for the exploit

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 23 stars

by Laburity · remote

https://github.com/Laburity/CVE-2022-31814

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-31814, targeting pfBlockerNG <= 2.1.4_26. It achieves unauthenticated remote code execution by injecting malicious payloads via the Host header, uploading a PHP shell, and providing an interactive shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfBlockerNG <= 2.1.4_26 on pfSense

No auth needed

Prerequisites: Target must have pfBlockerNG <= 2.1.4_26 installed · Network access to the target's web interface

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by EvergreenCartoons · remote

https://github.com/EvergreenCartoons/SenselessViolence

View Code ZIP pw:eip

This repository contains a Python-based exploitation toolkit for CVE-2022-31814, a remote command injection vulnerability in pfSense pfBlockerNG <= 2.1.4_26. It includes modes for passive/active vulnerability checks, exploitation, and cleanup, with a focus on reliability and log wiping.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfSense pfBlockerNG <= 2.1.4_26

No auth needed

Prerequisites: Network access to the target pfSense instance · Vulnerable pfBlockerNG plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by Chocapikk · remote

https://github.com/Chocapikk/CVE-2022-31814

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-31814, targeting pfBlockerNG <= 2.1.4_26. It achieves unauthenticated remote code execution by uploading a shell via a crafted HTTP request and executing arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfBlockerNG <= 2.1.4_26

No auth needed

Prerequisites: Network access to the target pfSense/pfBlockerNG instance · Python 3.x with requests and concurrent.futures modules

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by drcayber · remote

https://github.com/drcayber/RCE

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in pfBlockerNG <= 2.1.4_26 via the Host header to achieve unauthenticated remote code execution (RCE). It uploads a PHP shell and provides an interactive command interface.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfBlockerNG <= 2.1.4_26

No auth needed

Prerequisites: Target must have pfBlockerNG installed and accessible · Python 3.x environment for execution

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by SystemVll · remote

https://github.com/SystemVll/CVE-2022-31814

View Code ZIP pw:eip

This Python script exploits CVE-2022-31814 in pfSense by uploading a PHP shell via a command injection vulnerability in pfBlockerNG, executing arbitrary commands, and then cleaning up the shell. It targets unauthenticated RCE by leveraging a malicious Host header.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfSense with pfBlockerNG (versions affected by CVE-2022-31814)

No auth needed

Prerequisites: pfBlockerNG installed on target pfSense instance · Network access to the pfSense web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by dkstar11q · remote

https://github.com/dkstar11q/CVE-2022-31814

View Code ZIP pw:eip

This is a functional proof-of-concept exploit for CVE-2022-31814, targeting pfBlockerNG <= 2.1.4_26. It achieves unauthenticated remote code execution by uploading a shell via a command injection vulnerability in the Host header, then executing arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfBlockerNG <= 2.1.4_26

No auth needed

Prerequisites: Target must have pfBlockerNG <= 2.1.4_26 installed · Network access to the target's web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by TheUnknownSoul · remote

https://github.com/TheUnknownSoul/CVE-2022-31814

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-31814, targeting pfBlockerNG <= 2.1.4_26. It achieves unauthenticated RCE by injecting a malicious Host header to upload a PHP shell, then interacts with it for command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfBlockerNG <= 2.1.4_26 on pfSense

No auth needed

Prerequisites: Target must have pfBlockerNG installed and accessible · Python 3.x with requests library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by ArunHAtter · remote

https://github.com/ArunHAtter/CVE-2022-31814

View Code ZIP pw:eip

This is a functional exploit for CVE-2022-31814, targeting pfBlockerNG <= 2.1.4_26. It achieves unauthenticated remote code execution by injecting a malicious payload via the Host header, uploading a PHP shell, and providing an interactive shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfBlockerNG <= 2.1.4_26

No auth needed

Prerequisites: Target URL(s) with pfBlockerNG installed · Network access to the target · Python 3.x with requests library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by Madliife0 · poc

https://github.com/Madliife0/CVE-2022-31814

View Code ZIP pw:eip

The repository contains only a README.md file with a CVE identifier and no exploit code or technical details. It appears to be a placeholder or incomplete submission.

Classification

Stub 10%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GREAT

by IHTeam, jheysel-r7 · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated RCE vulnerability in pfSense's pfBlockerNG plugin (CVE-2022-31814) by injecting a PHP webshell via a malformed Host header, allowing root command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pfSense pfBlockerNG plugin versions 2.1.4_26 and below

No auth needed

Prerequisites: Target must have pfBlockerNG plugin installed and vulnerable version · Network access to pfSense web interface (port 443)

MITRE ATT&CK