CVE-2025-53392Absolute Path Traversal in Pfsense

CWE-36Absolute Path Traversal3 documents3 sources
Severity
6.5MEDIUMNVD
CNA5.0
EPSS
0.1%
top 76.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Netgate PfsensePfsense
Timeline
PublishedJun 28
Latest updateJun 29

Description

In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5netgate/pfsense2.8.0
NVDpfsense/pfsense2.8.0

🔴Vulnerability Details

2
GHSA
GHSA-7hr6-mvjp-x5qv: In Netgate pfSense CE 22025-06-29
CVEList
CVE-2025-53392: In Netgate pfSense CE 22025-06-28
CVE-2025-53392 — Absolute Path Traversal in Pfsense | cvebase