CVE-2019-16701

Name of the Vulnerable Software and Affected Versions pfSense versions 2.3.4 through 2.4.4-p3

Description The issue allows for remote code injection via a methodCall XML document. This is achieved by using a pfsense.exec php call that contains shell metacharacters in a parameter value, such as parameter value. This enables an attacker to inject malicious code.

Recommendations For pfSense versions 2.3.4 through 2.4.4-p3, consider disabling the pfsense.exec php function to prevent remote code injection until a patch is available. Restrict access to the XML document methodCall to minimize the risk of exploitation. Avoid using parameter values that contain shell metacharacters in the affected API endpoint until the issue is resolved.