CVE-2024-54780

moderate-risk

Published 2025-05-14

Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the OpenVPN management interface. An authenticated attacker can exploit this vulnerability by injecting arbitrary OpenVPN management commands via the remipp parameter.

Do I need to act?

8.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (2)

Pfsense Ce

Pfsense Plus

Affected Vendors

Netgate

References (2)

Exploit https://blog.brillantit.com/exploiting-pfsense-xss-command-injection-cloud-hijac...

Patch https://www.netgate.com/blog/important-security-updates-for-pfsense-plus-24.11-a...

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 10/34 · Low

Exposure 7/34 · Low