CVE-2025-53392

Published Jun 28, 2025

Last updated 5 months ago

CVSS medium 5.0

Overview

Description
In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.
Source
cve@mitre.org
NVD status
Analyzed
CNA Tags
disputed
Products
pfsense

Risk scores

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

cve@mitre.org
CWE-36

Social media

Hype score
Not currently trending

  1. 💥CVE-2025-53392 has been published, marked as vendor disputed. I'm committed to holding vendors to a higher standard when it comes to security architecture and implementation. https://t.co/a0p5l687HP https://t.co/7ay0ojD1JJ

    @skraft09

    29 Jun 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-53392 Netgate pfSense CE 2.8.0 Diagnostics Command Privilege Directory Travers... https://t.co/TkBOLlEgAX Vulnerability Notification: https://t.co/xhLrNnfyrO

    @VulmonFeeds

    29 Jun 2025

    95 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-53392 In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the S… https://t.co/BdCSjxSHsh

    @CVEnew

    28 Jun 2025

    965 Impressions

    1 Retweet

    6 Likes

    1 Bookmark

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. In pfSense CE /suricata/suricata_app_parsers.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.CVE-2025-34178
  2. In pfSense CE /suricata/suricata_flow_stream.php, the value of the policy_name parameter is not sanitized of HTML-related strings/characters before being directly displayed. This can result in stored cross-site scripting. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.CVE-2025-34177
  3. In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters. This value is directly used in a file existence check operation. While the contents of the file cannot be read, the server reveals whether the file exists, which enables an attacker to enumerate files on the target. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.CVE-2025-34176
  4. In pfSense CE /usr/local/www/suricata/suricata_filecheck.php, the value of the filehash parameter is directly displayed without sanitizing for HTML-related characters/strings. This can result in reflected cross-site scripting if the victim is authenticated.CVE-2025-34175
  5. In pfSense CE /usr/local/www/snort/snort_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file exists. While the contents of the file cannot be read, the server reveals whether a file exists, which allows an attacker to enumerate files on the target. The attacker must be authenticated with at least "WebCfg - Services: Snort package" permissions.CVE-2025-34173

References

Sources include official advisories and independent security research.