CVE-2025-34173 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2025-34173?

CVE-2025-34173 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated attackers with Snort package permissions to perform directory traversal attacks in pfSense CE's Snort IP reputation module. While file contents cannot be read, attackers can enumerate files on the system to discover sensitive information. Only pfSense CE installations with Snort package enabled and authenticated users with appropriate permissions are affected.

📋 TL;DR

This vulnerability allows authenticated attackers with Snort package permissions to perform directory traversal attacks in pfSense CE's Snort IP reputation module. While file contents cannot be read, attackers can enumerate files on the system to discover sensitive information. Only pfSense CE installations with Snort package enabled and authenticated users with appropriate permissions are affected.

💻 Affected Systems

Products:

pfSense CE

Versions: All versions before the fix commit d6f462bcc446969f8955c16cfde300d5c9ab7435

Operating Systems: FreeBSD-based

Default Config Vulnerable: ✅ No

Notes: Requires Snort package to be installed and enabled, plus attacker must have 'WebCfg - Services: Snort package' permissions.

📦 What is this software?

Pfsense by Pfsense

View all CVEs affecting Pfsense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map the entire filesystem, discover configuration files, credentials, or other sensitive data locations, enabling further targeted attacks.

🟠

Likely Case

Attackers with legitimate Snort management access abuse their permissions to enumerate files, potentially discovering backup files, logs, or configuration data.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to information disclosure about file existence without content exposure.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access with specific permissions and knowledge of the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version containing commit d6f462bcc446969f8955c16cfde300d5c9ab7435

Vendor Advisory: https://redmine.pfsense.org/issues/16412

Restart Required: No

Instructions:

1. Update pfSense CE to latest version. 2. Apply the specific patch from GitHub commit d6f462bcc446969f8955c16cfde300d5c9ab7435. 3. No service restart required.

🔧 Temporary Workarounds

Restrict Snort Management Access

all

Limit 'WebCfg - Services: Snort package' permissions to only essential administrators.

Disable Snort Package

all

If Snort functionality is not required, disable the package entirely.

🧯 If You Can't Patch

Implement strict access controls for Snort management interface
Monitor and audit access to /usr/local/www/snort/snort_ip_reputation.php endpoint

🔍 How to Verify

Check if Vulnerable:

Check if your pfSense CE version predates commit d6f462bcc446969f8955c16cfde300d5c9ab7435 and has Snort package enabled.

Check Version:

pfSense version from web interface or 'cat /etc/version' from shell

Verify Fix Applied:

Verify the patch is applied by checking the snort_ip_reputation.php file for proper input sanitization of the iplist parameter.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to snort_ip_reputation.php with directory traversal sequences in parameters

Network Indicators:

HTTP requests containing '../' or similar traversal patterns to the Snort endpoint

SIEM Query:

web_access_logs WHERE url LIKE '%snort_ip_reputation.php%' AND (params CONTAINS '../' OR params CONTAINS '..\\')

📊 Metadata

CVE ID: CVE-2025-34173

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-22

EPSS Score: 0.04% exploit probability (13.3th percentile)

Published: September 9, 2025

Last Updated: October 20, 2025

🔗 References

https://github.com/pfsense/FreeBSD-ports/commit/d6f462bcc446969f8955c16cfde300d5c9ab7435 Patch
https://redmine.pfsense.org/issues/16412 Issue Tracking
https://www.vulncheck.com/advisories/netgate-pf-sense-ce-snort-directory-traversal-information-disclosure Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34173, you might also want to check these: