Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.
The XMLRPC API interface in pfSense CE 2.8.0 exposes the pfsense.exec_php method, which allows arbitrary PHP code execution on the server. An attacker authenticated as an administrator can pass a PHP payload through this API call and achieve code execution in the system context. The vendor argues this is intentional behavior — administrators are deliberately granted the ability to execute PHP code.
An authenticated administrator can obtain full code execution on the server (RCE) with potential takeover of system control, its configuration and network data. Due to the scope (C:H/I:H/A:H, S:C), the impact may extend beyond the pfSense system itself.
Patches available from the vendor should be applied according to the references. Due to the vendor's dispute regarding the nature of the vulnerability, it is recommended to restrict access to the XMLRPC interface exclusively to trusted IP addresses, use strong and unique passwords for administrative accounts, and minimize the number of accounts with administrator privileges.
Netgate pfSense CE 2.8.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HPfsense
APPPfsense2.8.0
Related vulnerabilities
pfSense CE 2.7.2 — RCE przez deserializację PHP w instalatorze modułów
An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password...
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus so...
An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without ve...
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a r...