CVE-2021-41282 – CVE-2021-41282 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-41282?

CVE-2021-41282 has a CVSS score of 8.8 (HIGH). CVE-2021-41282 is a command injection vulnerability in pfSense's diag_routes.php that allows authenticated users to inject sed commands and write arbitrary files. This can lead to remote code execution on the firewall appliance. All pfSense 2.5.2 installations with authenticated users are affected.

📋 TL;DR

CVE-2021-41282 is a command injection vulnerability in pfSense's diag_routes.php that allows authenticated users to inject sed commands and write arbitrary files. This can lead to remote code execution on the firewall appliance. All pfSense 2.5.2 installations with authenticated users are affected.

💻 Affected Systems

Products:

pfSense

Versions: 2.5.2 specifically

Operating Systems: FreeBSD-based

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the pfSense web interface. All default installations of pfSense 2.5.2 are vulnerable.

📦 What is this software?

Pfsense by Pfsense

View all CVEs affecting Pfsense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing attacker to pivot to internal networks, intercept traffic, or disable firewall protections.

🟠

Likely Case

Unauthorized file write leading to web shell deployment and persistent access to the firewall management interface.

🟢

If Mitigated

Limited to authenticated users only, with proper access controls preventing exploitation by unauthorized personnel.

🌐 Internet-Facing: HIGH if pfSense web interface is exposed to internet, as authenticated users can exploit remotely.

🏢 Internal Only: HIGH for internal networks, as any authenticated user (including compromised accounts) can exploit the vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but is straightforward with published proof-of-concept code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.0 and later

Vendor Advisory: https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html

Restart Required: No

Instructions:

1. Backup current configuration. 2. Update pfSense to version 2.6.0 or later via System > Update. 3. Apply the update and verify successful installation.

🔧 Temporary Workarounds

Restrict Web Interface Access

all

Limit access to pfSense web interface to trusted IP addresses only

Configure firewall rules to restrict access to pfSense web interface (port 443) to specific management IPs

Disable diag_routes.php

linux

Remove or restrict access to the vulnerable script

mv /usr/local/www/diag_routes.php /usr/local/www/diag_routes.php.disabled
chmod 000 /usr/local/www/diag_routes.php.disabled

🧯 If You Can't Patch

Implement strict access controls to limit who can authenticate to pfSense web interface
Monitor for suspicious file writes in /tmp directory and web root locations

🔍 How to Verify

Check if Vulnerable:

Check pfSense version via web interface Dashboard or CLI: pfSense-version

Check Version:

pfSense-version

Verify Fix Applied:

Verify version is 2.6.0 or later: pfSense-version | grep '2\.6\.'

📡 Detection & Monitoring

Log Indicators:

Unusual sed command executions in system logs
File writes to unexpected locations from web user
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual outbound connections from pfSense appliance
HTTP requests to diag_routes.php with suspicious parameters

SIEM Query:

source="pfSense" AND (process="sed" OR process="netstat") AND user="www"

📊 Metadata

CVE ID: CVE-2021-41282

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: March 1, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/166208/pfSense-2.5.2-Shell-Upload.html Exploit,Third Party Advisory,VDB Entry
https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html Release Notes,Third Party Advisory
https://www.shielder.it/advisories/ Third Party Advisory
https://www.shielder.it/advisories/pfsense-remote-command-execution/ Exploit,Third Party Advisory
http://packetstormsecurity.com/files/166208/pfSense-2.5.2-Shell-Upload.html Exploit,Third Party Advisory,VDB Entry
https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html Release Notes,Third Party Advisory
https://www.shielder.it/advisories/ Third Party Advisory
https://www.shielder.it/advisories/pfsense-remote-command-execution/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41282, you might also want to check these: