CVE-2025-34176 MEDIUM

CVE-2025-34176: Netgate pfSense CE Suricata Package v7.0.8_2 Directory Traversal Information Disclosure

Vendor Netgate
Product pfSense CE
Weakness CWE-22 · Path traversal
Published September 9, 2025
Last update November 20, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

In pfSense CE /suricata/suricata_ip_reputation.php, the value of the iplist parameter is not sanitized of directory traversal-related strings/characters. This value is directly used in a file existence check operation. While the contents of the file cannot be read, the server reveals whether the file exists, which enables an attacker to enumerate files on the target. The attacker must be authenticated with at least "WebCfg - Services: suricata package" permissions.

Key dates

02Disclosure timeline

September 9, 2025 CVE published
November 20, 2025 Record updated

Related vulnerabilities

04Related CVE