CVE-2025-34176 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2025-34176?

CVE-2025-34176 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated attackers with 'WebCfg - Services: suricata package' permissions to perform directory traversal attacks in pfSense CE's suricata_ip_reputation.php file. By manipulating the iplist parameter, attackers can determine whether specific files exist on the system, enabling file enumeration. Only pfSense CE installations with the Suricata package enabled and users with specific permissions are affected.

📋 TL;DR

This vulnerability allows authenticated attackers with 'WebCfg - Services: suricata package' permissions to perform directory traversal attacks in pfSense CE's suricata_ip_reputation.php file. By manipulating the iplist parameter, attackers can determine whether specific files exist on the system, enabling file enumeration. Only pfSense CE installations with the Suricata package enabled and users with specific permissions are affected.

💻 Affected Systems

Products:

pfSense CE

Versions: All versions before the fix commit 97852ccfd201b24ee542be30af81272485fde0b4

Operating Systems: FreeBSD-based pfSense installations

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Suricata package is installed and enabled, and attacker has 'WebCfg - Services: suricata package' permissions.

📦 What is this software?

Pfsense by Pfsense

View all CVEs affecting Pfsense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map the entire filesystem structure, discover sensitive configuration files, passwords, or keys, and use this information for further attacks.

🟠

Likely Case

Attackers with legitimate access could enumerate files to find sensitive information for privilege escalation or lateral movement within the network.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to information disclosure about file existence without actual file content access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access with specific permissions; exploitation involves directory traversal payloads in the iplist parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version containing commit 97852ccfd201b24ee542be30af81272485fde0b4

Vendor Advisory: https://redmine.pfsense.org/issues/16414

Restart Required: No

Instructions:

1. Update pfSense CE to latest version. 2. Apply patch from GitHub commit 97852ccfd201b24ee542be30af81272485fde0b4. 3. No service restart required.

🔧 Temporary Workarounds

Remove Suricata Package

all

Uninstall the Suricata package if not required, eliminating the vulnerable component.

pkg delete -y suricata

Restrict User Permissions

all

Review and restrict 'WebCfg - Services: suricata package' permissions to only essential users.

🧯 If You Can't Patch

Implement strict network segmentation to isolate pfSense management interface
Enable detailed logging and monitoring for directory traversal attempts in web server logs

🔍 How to Verify

Check if Vulnerable:

Check if /usr/local/www/suricata/suricata_ip_reputation.php contains unsanitized iplist parameter usage before the fix commit.

Check Version:

pkg info | grep -i pfsense

Verify Fix Applied:

Verify the file contains proper input validation/sanitization for the iplist parameter after applying the patch.

📡 Detection & Monitoring

Log Indicators:

Web server logs showing directory traversal sequences in iplist parameter requests
Failed authentication attempts followed by traversal patterns

Network Indicators:

HTTP requests containing '../' or similar traversal patterns in parameters

SIEM Query:

source="web_access.log" AND (url="*suricata_ip_reputation*" AND (param="*../*" OR param="*..\\*"))

📊 Metadata

CVE ID: CVE-2025-34176

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-22

EPSS Score: 0.04% exploit probability (13.3th percentile)

Published: September 9, 2025

Last Updated: October 17, 2025

🔗 References

https://github.com/pfsense/FreeBSD-ports/commit/97852ccfd201b24ee542be30af81272485fde0b4 Patch
https://redmine.pfsense.org/issues/16414 Issue Tracking
https://www.vulncheck.com/advisories/netgate-pf-sense-ce-suricata-directory-traversal-information-disclosure Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34176, you might also want to check these: