cbcvebase.
CVE-2021-41282
published 2022-03-01

CVE-2021-41282: diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
87.11%
99.7th percentile
diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.

Affected

1 ranges
VendorProductVersion rangeFixed in
pfsensepfsense

Detection & IOCsextracted from sources · hover to see the quote

path/diag_routes.php
url/diag_routes.php?isAjax=1&filter=.*/!d;};s/Destination/\x3c\x3fphp+var_dump(md5(\x27CVE-2021-41282\x27));unlink(__FILE__)\x3b\x3f\x3e/;w+/usr/local/www/test.php%0a%23
otherc3959e8a43f1b39b0d1255961685a238
  • Monitor HTTP GET requests to /diag_routes.php with an 'isAjax=1' parameter and a 'filter' value containing sed write commands (e.g., ';w+' or newline-encoded '%0a') — this is the injection vector for arbitrary file write.
  • Detect web shell creation under /usr/local/www/ on pfSense hosts — the exploit writes a PHP web shell to this web root via sed injection.
  • Alert on Shodan/FOFA-exposed pfSense login pages being targeted; attacker reconnaissance commonly uses 'http.title:"pfsense - login"' to identify targets.
  • The exploit requires authentication with the 'WebCfg - Diagnostics: Routing tables' privilege; monitor for authenticated low-privilege users accessing /diag_routes.php followed by new PHP files appearing in /usr/local/www/.
  • Look for URL-encoded newline (%0a) followed by a comment character (%23) in the 'filter' parameter of requests to diag_routes.php — this is used to terminate the injected sed command.
  • ·Exploitation requires an authenticated session; the attacker must first POST valid credentials to /index.php and obtain a CSRF token (matching regex 'sid:[a-z0-9,;:]+') before the injection request can succeed.
  • ·Standard escapeshellarg protections are in place but are insufficient — the injection is sed-specific (not a general shell command injection), so shell-level escaping does not prevent it.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.