cbcvebase.
CVE-2019-16701
published 2019-09-25

CVE-2019-16701: pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.61%
97.0th percentile
pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.

Affected

2 ranges
VendorProductVersion rangeFixed in
netgatepfsense
netgatepfsense>= 2.3.4 < 2.4.42.4.4

Detection & IOCsextracted from sources · hover to see the quote

url/xmlrpc.php
commandpfsense.exec_php
commandpfsense.exec_shell
path/usr/local/www/<random32>.php
  • Monitor HTTP POST requests to /xmlrpc.php containing a methodCall body with 'pfsense.exec_php' or 'pfsense.exec_shell' method names, especially those including shell metacharacters or exec() calls in parameter values.
  • Alert on HTTP POST to /xmlrpc.php where the body contains the string 'exec_php' or 'exec_shell' alongside PHP exec() or eval() payloads.
  • Look for HTTP GET requests to newly created random-named .php files under the pfSense web root immediately following a POST to /xmlrpc.php, with a '?cmd=' query parameter indicating webshell interaction.
  • Flag any XMLRPC authentication attempts to /xmlrpc.php from external/untrusted IPs, as the exploit requires valid credentials (uid=0 or xmlrpc-ha-sync privilege) and probes with pfsense.host_firmware_version before executing the payload.
  • ·Exploitation requires valid credentials (admin uid=0 or a user with the 'system-xmlrpc-ha-sync' privilege); unauthenticated exploitation is not possible. Detection rules should account for authenticated sessions.
  • ·The exploit drops a webshell with a 32-character alphanumeric random filename, making static filename-based blocking ineffective; pattern-based detection on the directory and file extension is required.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.