cbcvebase.
CVE-2023-27253
published 2023-03-17

CVE-2023-27253: A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via…

PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
90.66%
99.8th percentile
A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.

Affected

1 ranges
VendorProductVersion rangeFixed in
netgatepfsense

Detection & IOCsextracted from sources · hover to see the quote

url/diag_backup.php
port443
commandWAN_DHCP-quality.rrd';#{payload.encoded};
filenamerrddata-config-pfSense.home.arpa-<rand>.xml
path/var/db/rrd/WAN_DHCP-quality.rrd
otherconfig.xml
  • Monitor POST requests to /diag_backup.php with multipart/form-data containing restorearea=rrddata and a conffile upload — this is the specific endpoint and parameter combination used to trigger the injection.
  • Inspect uploaded XML config files (conffile field) for shell metacharacters such as single quotes and semicolons embedded in RRD filename fields, e.g. patterns like <filename>...rrd';...;</filename>.
  • Detect use of ${IFS} as a space substitute in uploaded XML content, which is used to bypass bad-character filtering on the slash and quote characters.
  • Alert on pfSense processes spawning unexpected child processes as root following a restore operation via diag_backup.php — the exploit executes OS commands as the 'root' user.
  • Look for uploaded XML filenames matching the pattern rrddata-config-pfSense.home.arpa-<14 alphanumeric chars>.xml in web server logs, which is the filename template used by the Metasploit module.
  • ·The vulnerability affects pfSense versions prior to 2.7.0; the Metasploit module was specifically tested on 2.6.0-RELEASE. Exploitation requires the attacker to be authenticated with the 'WebCfg - Diagnostics: Backup & Restore' privilege.
  • ·The payload bad characters are 0x2F (forward slash '/') and 0x27 (single quote "'"), requiring encoding/substitution (e.g. ${IFS} for spaces) — detection rules should account for these obfuscation techniques.
  • ·The exploit notes IOC_IN_LOGS as a side effect, meaning evidence of exploitation should appear in pfSense web server/application logs, making log review a viable detection method.
  • ·The exploit also produces CONFIG_CHANGES as a side effect — the restore operation modifies the running configuration, so unexpected configuration changes on pfSense appliances should be investigated.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.