CVE-2025-34173 is a path traversal vulnerability classified under CWE-22 found in the pfSense CE firewall distribution, specifically in the Snort package's web interface file snort_ip_reputation.php. The vulnerability occurs because the iplist parameter is not sanitized to remove directory traversal characters such as '../', allowing an authenticated user with at least 'WebCfg - Services: Snort package' permissions to manipulate the parameter to reference files outside the intended directory. While the vulnerability does not allow reading the contents of arbitrary files, it enables the attacker to check for the existence of files on the server by observing the server's response. This file existence disclosure can be leveraged to enumerate sensitive files, which may reveal configuration files, credentials, or other information useful for further exploitation. The vulnerability has a CVSS 4.0 base score of 5.3 (medium severity), reflecting its network attack vector, low complexity, no user interaction, and limited impact confined to confidentiality through file existence disclosure. Exploitation requires authentication with specific privileges, limiting the attack surface to insiders or compromised accounts. No public exploits or active exploitation have been reported as of the publication date. The affected version is pfSense CE 4.1.6_25. The lack of input validation on the iplist parameter represents a failure to properly restrict pathname access, a common security oversight in web applications handling file paths.

For European organizations deploying pfSense CE version 4.1.6_25 with the Snort package enabled, this vulnerability presents a moderate risk primarily related to confidentiality. An attacker with authenticated access and the required Snort package permissions can enumerate files on the firewall system, potentially revealing sensitive configuration files or security-related data. This reconnaissance capability can facilitate subsequent attacks such as privilege escalation, configuration manipulation, or targeted exploitation of other vulnerabilities. Although the vulnerability does not allow direct file content disclosure or system compromise, the information gained can reduce the attacker's effort in planning further intrusions. Since pfSense is widely used in small to medium enterprises and some critical infrastructure sectors across Europe for network security, the exposure could affect organizations relying on these firewalls for perimeter defense. The requirement for authentication limits the threat to insiders or attackers who have already compromised user credentials, but given the strategic role of firewalls, any compromise or reconnaissance could have significant operational impact. Additionally, the presence of this vulnerability may undermine compliance with European data protection regulations if sensitive information is indirectly exposed.

To mitigate CVE-2025-34173, European organizations should first verify if they are running pfSense CE version 4.1.6_25 with the Snort package enabled. Immediate steps include restricting access to the pfSense web interface to trusted administrators only, enforcing strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise, and limiting the number of users with 'WebCfg - Services: Snort package' permissions. Network segmentation should be employed to isolate management interfaces from general user networks. Although no official patch links are currently available, organizations should monitor Netgate's advisories for updates or patches addressing this vulnerability and apply them promptly once released. As a temporary workaround, administrators can audit and harden the Snort package configuration, disable the Snort package if not essential, or implement web application firewall (WAF) rules to detect and block directory traversal patterns in HTTP requests targeting snort_ip_reputation.php. Regularly reviewing access logs for suspicious activity related to the iplist parameter can help detect attempted exploitation. Finally, organizations should conduct internal security awareness training to prevent credential theft and ensure that only authorized personnel have access to sensitive firewall management functions.