CVE-2025-34177
📋 TL;DR
This stored XSS vulnerability in pfSense CE's Suricata package allows authenticated attackers with specific permissions to inject malicious scripts into the web interface. When other administrators view the affected page, the scripts execute in their browser context, potentially leading to session hijacking or administrative actions. Only pfSense CE installations with the Suricata package enabled and users with 'WebCfg - Services: suricata package' permissions are affected.
💻 Affected Systems
- pfSense CE
📦 What is this software?
Pfsense by Pfsense
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider could steal administrator session cookies, perform unauthorized configuration changes, or redirect administrators to phishing sites, potentially compromising the entire firewall.
Likely Case
An attacker with legitimate but malicious intentions uses their access to inject scripts that steal session tokens from other administrators, gaining persistent access to the firewall management interface.
If Mitigated
With proper access controls and monitoring, the impact is limited to potential session theft from administrators who view the compromised page, but no system compromise occurs.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The vulnerability is in the web interface, making exploitation straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version containing commit 97852ccfd201b24ee542be30af81272485fde0b4
Vendor Advisory: https://redmine.pfsense.org/issues/16414
Restart Required: No
Instructions:
1. Update pfSense CE to the latest version. 2. Alternatively, apply the specific patch from GitHub commit 97852ccfd201b24ee542be30af81272485fde0b4. 3. No service restart is required as this is a web interface fix.
🔧 Temporary Workarounds
Remove vulnerable permissions
allTemporarily remove 'WebCfg - Services: suricata package' permissions from all non-essential users until patching is complete.
Navigate to System > User Manager > Edit User > Privileges tab > Uncheck 'WebCfg - Services: suricata package'
🧯 If You Can't Patch
- Implement strict access controls to limit users with 'WebCfg - Services: suricata package' permissions to trusted administrators only.
- Enable Content Security Policy (CSP) headers in pfSense to mitigate XSS impact, though this may not fully prevent exploitation.
🔍 How to Verify
Check if Vulnerable:
Check if your pfSense version includes commit 97852ccfd201b24ee542be30af81272485fde0b4. If not, and you have Suricata package installed, you are vulnerable.Check Version:
ssh into pfSense and run 'cat /etc/version' or check the System Information page in the web interface.Verify Fix Applied:
After updating, verify the fix by checking that the commit is present in your installation or test that HTML input in the policy_name parameter is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Suricata flow/stream policies
- Multiple failed login attempts followed by successful login to Suricata interface
Network Indicators:
- Unexpected outbound connections from pfSense management interface
- Traffic to known malicious domains from the firewall
SIEM Query:
source="pfSense" AND (event_type="web_access" AND uri="/suricata/suricata_flow_stream.php" AND (method="POST" OR method="GET"))