Critical pfSense Firewall Flaws Allow Malicious Code Injection

Security researchers have disclosed three major vulnerabilities affecting pfSense, the widely used open-source firewall and router platform.

These flaws—assigned CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779—impact pfSense Community Edition (CE) versions before the 2.8.0 beta release and corresponding Plus builds.

Exploits range from cloud backup hijacking and command injection to XML-based configuration corruption and persistent cross-site scripting (XSS), putting thousands of installations at risk.

1. ACB Cloud Backup Key Hijack & Stored XSS (CVE-2024-57273)

The first vulnerability centers on pfSense’s Automatic Configuration Backup (ACB) service, which allows administrators to store encrypted firewall backups on Netgate’s cloud servers.

The flaw arises from the derivation of the ACB API key: it is a hash of the public SSH key found at /etc/ssh/ssh_host_ed25519_key.pub.

If the SSH server is exposed, an attacker can retrieve this public key and compute the API key required to interact with the ACB API endpoints, such as /getbkp, /list, /save, and /rmbkp1.

With this access, an attacker can:

• Delete cloud backups
• Inject malicious JavaScript payloads into the backup metadata (stored XSS)
• Leak sensitive information

For example, a JavaScript payload can be injected into the “reason” field of a backup.

When an administrator later visits /services_acb.php, the poisoned backup list is fetched and the malicious code is executed in the browser, potentially leading to remote code execution (RCE) due to pfSense’s built-in webshell. The vulnerable code in PHP is as follows:

php<td><?= $cv['localtime']; ?></td>
<td><?= $cv['reason']; ?></td>

Netgate has patched this by allowing manual API key configuration and filtering user input.

2. OpenVPN Widget Command Injection (CVE-2024-54780)

A second flaw was found in the OpenVPN management widget.

Authenticated users with dashboard access can exploit unsanitized input in the remipp parameter, which is used to terminate client connections.

The vulnerable PHP code is:

phpif ($_POST['action'] == "kill") {
    $port = $_POST['port'];
    $remipp = $_POST['remipp'];
    $client_id  = $_POST['client_id'];
    if (!empty($port) and !empty($remipp)) {
        $retval = openvpn_kill_client($port, $remipp, $client_id);
    }
}

The openvpn_kill_client function then writes directly to a Unix socket:

phpfputs($fp, "kill {$remipp}\n");

By injecting a newline character (%0A), such as remipp=5%0AstatusAn attacker can send multiple commands to the OpenVPN management interface.

While this does not allow arbitrary shell command execution, it does enable unauthorized manipulation of the VPN server state.

3. XML Injection in Dashboard Widgets (CVE-2024-54779)

The third vulnerability involves XML injection in pfSense dashboard widgets.

Any authenticated user can inject arbitrary XML via the widgetkey parameter, which is used to store widget settings in /cf/conf/config.xml.

Unsanitized input can corrupt the configuration file, leading to denial of service (DoS) or persistent XSS attacks.

For example, sending widgetkey=none/> results in malformed XML:

xml<none/>>
    <descr><![CDATA[Hello, World !]]></descr>
    <filter></filter>
</none/>>

This can prevent pfSense from booting, as configuration parsing fails with fatal PHP errors.

Attackers can also inject JavaScript into widgets, such as the Firewall Logs widget, by manipulating the filterlogentriesinterval setting:

xml<log-0>
    <filterlogentriesinterval>5;alert('XSS');var test=50</filterlogentriesinterval>
</log-0>

This payload executes arbitrary JavaScript when the widget loads, compromising administrator sessions.

Patch Status and Recommendations

All vulnerabilities were responsibly disclosed to Netgate, with fixes available in pfSense 2.8.0 beta, the GitHub master branch, and early access Plus channels.

Users are urged to update immediately and avoid exposing SSH and dashboard interfaces to untrusted networks.

Administrators should review the official pfSense bug tracker for further technical details and mitigation guidance.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates