CVE-2023-27253

HIGH

Netgate pfSense <2.7.0 - Command Injection

Title source: llm

Description

A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.

Exploits (2)

exploitdb WORKING POC

by Emir Polat · rubywebappsphp

https://www.exploit-db.com/exploits/51608

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Emir Polat · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pfsense_config_data_exec.rb

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/173487/pfSense-Restore-RRD-Data-Command-Injection.html

[Patch] https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94

[Issue Tracking, Patch, Vendor Advisory] https://redmine.pfsense.org/issues/13935

Scores

CVSS v3 8.8

EPSS 0.7775

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-91

Status published

Products (1)

netgate/pfsense 2.7.0

Published Mar 17, 2023

Tracked Since Feb 18, 2026