Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-27100Improper Restriction of Excessive Authentication Attempts in Pfsense Plus

CWE-307Improper Restriction of Excessive Authentication Attempts3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
3.5%
top 12.38%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Netgate Pfsense PlusPfsense
Timeline
PublishedMar 22
Latest updateApr 8

Description

Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDpfsense/pfsense2.6.0

Patches

Patch: redmine.pfsense.orgPatch: redmine.pfsense.org

🔴Vulnerability Details

1
GHSA
GHSA-wmh3-5pfq-qpp8: Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v222023-03-23

💥Exploits & PoCs

1
Exploit-DB
pfsenseCE v2.6.0 - Anti-brute force protection bypass2023-04-08
CVE-2023-27100 — Netgate Pfsense Plus vulnerability | cvebase