CVE-2025-34172 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the pfSense Community Edition (CE) firewall software, specifically in version 0.63_10. The vulnerability exists in the /usr/local/www/haproxy/haproxy_stats.php page, where the 'showsticktablecontent' parameter from HTTP GET requests is improperly sanitized before being reflected back in the web page output. This lack of proper input neutralization allows an attacker to inject malicious scripts that execute in the context of an authenticated user's browser session. Since the vulnerability requires the victim to be authenticated, the attacker must either trick a legitimate user into clicking a crafted link or exploit a session where the user is already logged in. The CVSS 4.0 base score of 4.8 (medium severity) reflects that the attack vector is network-based with low attack complexity, no privileges required but user interaction is necessary, and the impact is limited primarily to confidentiality with low scope and no impact on integrity or availability. The vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may require manual input validation or configuration changes until an official fix is released.

For European organizations using pfSense CE version 0.63_10, this vulnerability poses a risk primarily to the confidentiality of user sessions and data accessible via the pfSense web interface. Successful exploitation could allow attackers to steal session cookies, perform actions on behalf of authenticated users, or conduct phishing attacks by injecting malicious scripts. Given pfSense's widespread use as a firewall and router solution in small to medium enterprises, educational institutions, and some government agencies across Europe, exploitation could lead to unauthorized access to network management interfaces, potentially compromising network security. However, the requirement for user authentication and user interaction limits the attack's scope to targeted phishing or social engineering campaigns rather than broad automated exploitation. The vulnerability does not directly affect network availability or integrity but could be a stepping stone for further attacks if combined with other vulnerabilities or misconfigurations.

European organizations should immediately audit their pfSense CE deployments to identify if version 0.63_10 is in use. Until an official patch is released, administrators should consider the following mitigations: 1) Restrict access to the pfSense web interface to trusted networks and VPN connections only, minimizing exposure to external attackers. 2) Implement strict Content Security Policy (CSP) headers on the pfSense web interface to limit the execution of injected scripts. 3) Educate users with access to the pfSense interface about phishing risks and the dangers of clicking on unsolicited links. 4) Monitor web server logs for suspicious requests containing unusual parameters or script payloads targeting the 'showsticktablecontent' parameter. 5) If feasible, apply manual input validation or sanitization on the affected parameter by customizing the web interface code or deploying a Web Application Firewall (WAF) with rules to detect and block reflected XSS attempts. 6) Plan for timely updates to pfSense CE once a security patch addressing CVE-2025-34172 is released by Netgate.