CVE-2024-57273

low-risk

Published 2025-05-14

Netgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross-site scripting (XSS) in the Automatic Configuration Backup (ACB) service, allowing remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information via an unsanitized "reason" field and a derivable device key generated from the public SSH key.

Do I need to act?

0.22% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Pfsense Ce

Pfsense Plus

Affected Vendors

Netgate

References (4)

Product http://netgate.com

Exploit https://blog.brillantit.com/exploiting-pfsense-xss-command-injection-cloud-hijac...

Third Party Advisory https://docs.netgate.com/downloads/pfSense-SA-25_03.webgui.asc

Release Notes https://www.netgate.com/blog/important-security-updates-for-pfsense-plus-24.11-a...

/ 100

low-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 7/34 · Low