CVE-2024-54780 — HIGH (8.8)

Q: How severe is CVE-2024-54780?

CVE-2024-54780 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-54780?

Check the references section above for vendor advisories and patch information. Affected products include: Netgate Pfsense Ce, Netgate Pfsense Plus.

Vulnerability Description

Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the OpenVPN management interface. An authenticated attacker can exploit this vulnerability by injecting arbitrary OpenVPN management commands via the remipp parameter.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Netgate	Pfsense Ce	< 2.8.0
Netgate	Pfsense Plus	< 25.03

Related Weaknesses (CWE)

CWE-94

References

https://blog.brillantit.com/exploiting-pfsense-xss-command-injection-cloud-hijacExploitThird Party Advisory
https://www.netgate.com/blog/important-security-updates-for-pfsense-plus-24.11-aPatchVendor Advisory

FAQ

What is CVE-2024-54780?

CVE-2024-54780 is a vulnerability with a CVSS score of 8.8 (HIGH). Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the Open...

How severe is CVE-2024-54780?

CVE-2024-54780 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-54780?

Check the references section above for vendor advisories and patch information. Affected products include: Netgate Pfsense Ce, Netgate Pfsense Plus.