CVE-2018-4019

Name of the Vulnerable Software and Affected Versions pfSense CE version 2.4.4-RELEASE

Description A command injection issue exists in the way pfSense CE processes the parameters of a specific POST request. This allows an attacker to execute arbitrary commands on the system by exploiting the powerd normal mode parameter in authenticated POST requests to the administration web interface.

Recommendations For pfSense CE version 2.4.4-RELEASE, consider restricting access to the administration web interface to minimize the risk of exploitation. As a temporary workaround, avoid using the powerd normal mode parameter in POST requests until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.