CVE-2025-53392

Published Jun 28, 2025

Last updated 8 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-53392 affects Netgate pfSense CE version 2.8.0. It involves a directory traversal vulnerability within the "WebCfg - Diagnostics: Command" privilege, specifically allowing the reading of arbitrary files through the diag_command.php dlPath. The manipulation of the argument dlPath leads to absolute path traversal. The vulnerability is triggered when the "WebCfg - Diagnostics: Command" privilege is enabled. It should be noted that the vendor considers this behavior to be intended for the given privilege level, with administrators supposedly informed via documentation and the user interface.

Description: In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.
Source: cve@mitre.org
NVD status: Awaiting Analysis
CNA Tags: disputed

Risk scores

CVSS 3.1

Type: Secondary
Base score: 5
Impact score: 1.4
Exploitability score: 3.1
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Severity: MEDIUM

Weaknesses

cve@mitre.org: CWE-36

Hype score: Not currently trending

References