CVE-2025-34172 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the pfSense Community Edition (CE) firewall software, specifically in version 0.63_10. The vulnerability exists in the /usr/local/www/haproxy/haproxy_stats.php page, where the value of the 'showsticktablecontent' parameter, obtained from HTTP GET requests, is improperly sanitized before being reflected back in the web page. This improper neutralization of input (CWE-79) allows an attacker to inject malicious scripts that execute in the context of an authenticated user's browser session. Since the vulnerability requires the victim to be authenticated, exploitation typically involves social engineering or phishing to lure legitimate users into clicking crafted URLs containing malicious payloads. The CVSS 4.0 base score is 4.8 (medium severity), reflecting that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L - low privileges), and user interaction required (UI:A). The vulnerability impacts confidentiality partially (VC:L) but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from the failure to properly encode or sanitize user-supplied input before rendering it in the web interface, a common issue in web applications that can lead to session hijacking, credential theft, or unauthorized actions within the authenticated session.

For European organizations using pfSense CE version 0.63_10, this vulnerability poses a moderate risk primarily to network security administrators and users who access the pfSense web interface. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, theft of authentication tokens, or unauthorized configuration changes if combined with other vulnerabilities or social engineering. Given that pfSense is widely used in small to medium enterprises and some larger organizations for firewall and routing functions, compromise could lead to further network infiltration or data exfiltration. The requirement for user authentication and interaction limits the attack scope but does not eliminate risk, especially in environments where administrative users may be targeted via phishing campaigns. The reflected XSS could also be leveraged as a stepping stone for more complex attacks against internal networks. The impact on confidentiality is moderate, while integrity and availability are less likely to be directly affected by this vulnerability alone.

To mitigate this vulnerability, European organizations should: 1) Immediately restrict access to the pfSense web interface to trusted networks and users, ideally via VPN or secure management VLANs, to reduce exposure to unauthenticated attackers. 2) Educate administrators and users about phishing risks and the dangers of clicking on suspicious links, since user interaction is required for exploitation. 3) Monitor pfSense CE vendor communications closely for official patches or updates addressing CVE-2025-34172 and apply them promptly once available. 4) Implement Web Application Firewall (WAF) rules or Intrusion Prevention Systems (IPS) that can detect and block reflected XSS payloads targeting the haproxy_stats.php endpoint. 5) Consider upgrading pfSense CE to later versions if they include fixes or enhanced input sanitization. 6) Conduct regular security audits and penetration tests focusing on web interface vulnerabilities to identify and remediate similar issues proactively. 7) Use Content Security Policy (CSP) headers where possible to restrict script execution in the pfSense web interface environment.