-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-26_01.webgui Security Advisory pfSense Topic: Authenticated Command Execution in Service Status Category: pfSense Base System Module: webgui Announced: 2026-04-01 Credits: Jared Folkins Affects: pfSense Plus software versions < 26.03 pfSense CE software versions <= 2.8.1 Corrected: 2026-03-12 18:25:50 UTC (pfSense Plus master, 26.07) 2026-03-13 18:23:51 UTC (pfSense Plus plus-RELENG_26_03, 26.03) 2026-03-12 18:25:50 UTC (pfSense CE master, 2.9.0) 0. Revision History v1.0 2026-04-01 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential authenticated arbitrary command execution vulnerability was found in status_services.php, a component of the pfSense Plus and pfSense CE software GUI. The isvalidpid() function takes a $pidfile parameter and executes a shell command using that parameter without checking if the file exists first or escaping the value before execution. This function is called when stopping certain services via status_services.php. For example, the code that handles stopping OpenVPN instance services uses the "id" parameter when forming a PID file path, and since that value is not fully validated, a malicious value can trigger command execution. The code which handles stopping the Captive Portal service uses its "zone" parameter in a similar vulnerable way. This problem is present on pfSense Plus version 25.11.1, pfSense CE version 2.8.1, and earlier versions of both. III. Impact Due to a lack of validation and escaping in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value in POST operations. Users must be authenticated and have privileges to access status_services.php to trigger the issue. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 26.03 or later, or pfSense CE software versions after 2.8.1 when available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 25.11.1 and pfSense CE version 2.8.1 may apply the fix from the recommended patches list in the System Patches package after installing or updating the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 54b03ca353a5e6ae14c91ed19bfe30f76493d7e9 plus/plus-RELENG_26_03 0909e53d39afa5b8245840ef4ef5a1f9ec7e1e44 pfSense/master 54b03ca353a5e6ae14c91ed19bfe30f76493d7e9 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmnMGkIACgkQE7mH/ZIU +NraVQ//YD+6dif0tyT/utnSHiJzGOE+IcMS3Q+5nZfx78f2psm1rMg3b0E1r5QB a0BrGqqDcbvJBTW9edf6R5Y7Hqzh7G4JRDHx6C6pm/s4oGdBJguJp5klZFEMc9kI Brg8rHKU/Xzgn34C0ULBgG5zbZejiaXzTilHUtM8t0SLdpQPLqvnHnE0tGlejgXe TdIVaKlpnw8HKlp218iFE+0abblm0XJBA4cUkIy2i/RbyfBS27k4RRZ/C3cOPl5c Se6HVE8nowzmGE1fqj4eWbJjNv1rKhoA54ifDBPUBUVz66Wl7T6OTX6ph8aokx+K 3AjSMvC5lDxnX2JNOIoa/XaVlVBbtdyWzuewmQNa4ffkwBbh8dl/0HQpx9JH/JnO KfK0ekKZQ0s91GKcejdeIJs/TanfhbPNG3eLS+3yfOtC2eNlYVf4tkGk7rpFaJKU SdpOKE4lhkw8AJLtN5ADU6LycHTG0PBeqMaiQ/hRJj1j/wJh7wGT4uAO/5+JYvmx +tfWGXPbMBLKhrj8bCgSIt4NPXWeJNBrSLczGyhPxJEZ1EY/6dUI0dKmIpjzVRQ0 GRPoGErHT2pSpZSfE70aAoEFbbJeO7JVaBKyIP/VkxkWoIJcGavUXjhNBLNdraJ8 qm6jXkdY1zmPr32iU5pcpCypHxhENX21LHXPABSvHdf6/86Wozo= =GpNV -----END PGP SIGNATURE-----