CVE-2025-34173
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-10-20

Assigner: VulnCheck

Description
In pfSense CEΒ /usr/local/www/snort/snort_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related characters/strings before being used to check if a file exists. While the contents of the file cannot be read, the server reveals whether a file exists, which allows an attacker to enumerate files on the target. The attacker must be authenticated with at least "WebCfg - Services: Snort package" permissions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-10-20
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34173
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pfsense pfsense to 2.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the pfSense Snort package, specifically in the file snort_ip_reputation.php. The iplist parameter is not properly sanitized to remove directory traversal characters before checking if a file exists. Although an attacker cannot read file contents, they can determine whether arbitrary files exist on the server by exploiting this flaw. The attacker must be authenticated with at least 'WebCfg - Services: Snort package' permissions to exploit this. [1]

Impact Analysis

The vulnerability allows an authenticated attacker to enumerate files on the server by checking for their existence without proper input validation. This can lead to information disclosure about the server's file structure, which may aid further attacks or reconnaissance. However, the attacker cannot read the contents of the files. [1]

Detection Guidance

This vulnerability can be detected by attempting to exploit the directory traversal in the iplist parameter of the Snort package's snort_ip_reputation.php page while authenticated with appropriate permissions. A test could involve sending crafted POST requests to /usr/local/www/snort/snort_ip_reputation.php with iplist values containing directory traversal strings (e.g., ../../etc/passwd) and observing if the server reveals whether such files exist. Specific commands could include using curl or similar tools to send such POST requests and checking the response for file existence indications. For example: curl -X POST -d "iplist=../../etc/passwd" https://<pfsense-ip>/snort/snort_ip_reputation.php --cookie "<auth-cookie>". Note that authentication with "WebCfg - Services: Snort package" permissions is required. [1]

Mitigation Strategies

Immediate mitigation steps include updating the pfSense Snort package to a version that contains the fix for this vulnerability. The fix is included in pfSense Plus versions 25.07.1 and 25.07, and Community Edition versions 2.8.1 and 2.8.0. The update restricts file existence checks to the designated IP reputation directory, preventing directory traversal attacks. Until the update is applied, restrict access to the Snort package web interface to trusted users only, ensuring that only authenticated users with the necessary permissions can access it. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart