CVE-2025-53392

Name of the Vulnerable Software and Affected Versions: Netgate pfSense CE version 2.8.0

Description: The issue arises from the "WebCfg - Diagnostics: Command" privilege, which improperly allows users to read arbitrary files on the system through a directory traversal attack targeting the diag command.php dlPath. This behavior is considered intended by the supplier for this privilege level, with system administrators informed through product documentation and UI.

Recommendations: For Netgate pfSense CE version 2.8.0, users should upgrade to a newer version once patches are released by Netgate. Alternatively, they should apply recommended workarounds restricting access to diagnostic commands until an official fix is available. As a temporary workaround, consider disabling the diag command.php functionality or restricting access to the dlPath directory to minimize the risk of exploitation.