CVE-2025-34174
📋 TL;DR
This stored XSS vulnerability in pfSense CE allows authenticated attackers with 'WebCfg - Status: Traffic Totals' permissions to inject malicious scripts into the Status Traffic Totals page. When exploited, these scripts execute in the browsers of all users who visit that page, potentially stealing session cookies or performing unauthorized actions. Only pfSense CE installations with users having the specific required permissions are affected.
💻 Affected Systems
- pfSense CE
📦 What is this software?
Pfsense by Pfsense
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider could steal administrator session cookies, gain full administrative access, pivot to internal systems, or deploy ransomware across the network.
Likely Case
Attackers with valid credentials could steal session cookies from other users, escalate privileges, or perform unauthorized configuration changes within pfSense.
If Mitigated
With proper access controls limiting who has 'WebCfg - Status: Traffic Totals' permissions, impact is limited to authorized users only.
🎯 Exploit Status
Requires authenticated access with specific permissions. Exploitation involves injecting malicious payload into the start-day parameter that gets stored and served to all users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version containing commit 9e412edf62113303c36c7f7d5a48b0a3fb0be893
Vendor Advisory: https://redmine.pfsense.org/issues/16413
Restart Required: No
Instructions:
1. Update pfSense CE to latest version. 2. Apply patch via System > Update > pfSense Plus/CE. 3. No restart required - patch applies immediately.
🔧 Temporary Workarounds
Remove vulnerable permissions
allTemporarily remove 'WebCfg - Status: Traffic Totals' permissions from all users until patched.
Input validation via custom rules
allAdd input validation for the start-day parameter using custom PHP validation if unable to patch immediately.
🧯 If You Can't Patch
- Restrict 'WebCfg - Status: Traffic Totals' permissions to only absolutely necessary trusted administrators.
- Implement network segmentation to isolate pfSense management interface from general user access.
🔍 How to Verify
Check if Vulnerable:
Check if /usr/local/www/status_traffic_totals.php lacks proper input sanitization for the start-day parameter.Check Version:
pfSense version | grep 'Version'Verify Fix Applied:
Verify the file contains proper htmlspecialchars() or equivalent sanitization for the start-day parameter output.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to status_traffic_totals.php with script tags in parameters
- Multiple users accessing Status Traffic Totals page from same IP
Network Indicators:
- Unexpected outbound connections from pfSense web interface to external domains
SIEM Query:
source='pfSense' AND uri='*status_traffic_totals.php*' AND (param='*<script*' OR param='*javascript:*')