CVE-2025-34172 is a reflected cross-site scripting (XSS) vulnerability identified in the pfSense Community Edition (CE) firewall software, version 0.63_10, developed by Netgate. The vulnerability exists in the /usr/local/www/haproxy/haproxy_stats.php page, where the 'showsticktablecontent' parameter from HTTP GET requests is improperly neutralized before being reflected in the HTML response. This improper input sanitization allows an attacker to inject arbitrary JavaScript code that executes in the context of an authenticated user's browser session. The attack vector is remote over the network, with low attack complexity, and does not require privileges but does require user interaction (the victim must click a crafted link or visit a malicious page). The vulnerability affects confidentiality and integrity by potentially enabling session hijacking, theft of authentication tokens, or execution of unauthorized actions within the pfSense web interface. The scope is limited to authenticated users, which reduces the attack surface but still poses a risk in environments where multiple users have access to the pfSense management interface. No known exploits are currently reported in the wild, and no official patches have been linked yet. The CVSS 4.0 score of 4.8 reflects a medium severity level, considering the ease of exploitation and the limited impact scope. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations, the impact of CVE-2025-34172 can be significant, especially for those relying on pfSense CE as a core firewall or network gateway solution. Successful exploitation could allow attackers to execute malicious scripts in the context of authenticated administrators or users, potentially leading to session hijacking, credential theft, or unauthorized configuration changes. This could compromise network security, disrupt operations, or lead to data breaches. Organizations with multiple administrators or users accessing the pfSense web interface are at higher risk. The vulnerability's requirement for user interaction and authentication limits mass exploitation but does not eliminate targeted attacks, particularly in sectors with high-value assets such as finance, government, and critical infrastructure. Additionally, the exposure of the haproxy_stats.php page to less trusted networks increases risk. Given the widespread use of pfSense CE in Europe, especially in small to medium enterprises and public sector organizations, the threat could affect a broad range of entities.

1. Monitor Netgate and pfSense official channels for patches addressing CVE-2025-34172 and apply them promptly once available. 2. Restrict access to the pfSense web interface and specifically to the haproxy_stats.php page by implementing network segmentation and firewall rules that limit management interface exposure to trusted IP addresses only. 3. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of compromised credentials being exploited. 4. Deploy web application firewalls (WAFs) or intrusion prevention systems (IPS) capable of detecting and blocking reflected XSS payloads targeting the pfSense management interface. 5. Educate administrators and users about the risks of clicking on untrusted links or visiting suspicious websites while authenticated to pfSense. 6. Regularly audit pfSense logs for unusual access patterns or attempts to exploit web interface vulnerabilities. 7. Consider disabling or restricting the haproxy_stats.php page if it is not required for operational purposes to reduce the attack surface.