cbcvebase.
CVE-2022-40624
published 2022-12-20

CVE-2022-40624: pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.11%
96.7th percentile
pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.

Affected

1 ranges
VendorProductVersion rangeFixed in
pfsensepfblockerng< 2.1.4_272.1.4_27

Detection & IOCsextracted from sources · hover to see the quote

path/pfblockerng/www/index.php
  • Exploit is delivered via a malformed HTTP Host header containing shell metacharacters (e.g., single-quote, asterisk, semicolon) targeting /pfblockerng/www/index.php. Monitor HTTP requests to this path where the Host header contains characters such as `'`, `*`, or `;`.
  • A pre-check GET request to /pfblockerng/www/index.php expecting a GIF image response (Content-Type: image/gif, body containing 'GIF') can be used to fingerprint vulnerable pfBlockerNG instances before exploitation.
  • Time-based blind OS command injection detection: if a request with a shell-injected Host header causes a response delay of 7 or more seconds, the target is likely vulnerable.
  • Shodan and FOFA queries for exposed pfBlockerNG instances can be used to identify internet-facing targets: query string is "pfBlockerNG".
  • ·Exploitation requires sending an 'unsafe' raw HTTP request (non-RFC-compliant Host header with shell metacharacters). Standard HTTP libraries will sanitize or reject such headers; a raw/unsafe HTTP client must be used for both attack and detection testing.
  • ·The vulnerability affects pfBlockerNG through version 2.1.4_27. The exploit flow requires a two-step check: first confirming the GIF endpoint is reachable, then sending the injected Host header.
  • ·This is a distinct vulnerability from CVE-2022-31814, which also involves pfBlockerNG OS command injection but via a different attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.