CVE-2025-34175 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Netgate pfSense Community Edition (CE) version 7.0.8_2, specifically within the /usr/local/www/suricata/suricata_filecheck.php script. The vulnerability arises because the 'filehash' parameter value is directly reflected in the web page output without proper sanitization or encoding of HTML special characters. This improper neutralization of input (classified under CWE-79) allows an attacker to craft a malicious URL containing executable script code within the 'filehash' parameter. When an authenticated user accesses this crafted URL, the malicious script executes in the context of the user's browser session. The vulnerability is reflected, meaning the malicious payload is not stored but immediately reflected back in the HTTP response. The CVSS 4.0 base score is 5.1 (medium severity), with an attack vector of network (remote), low attack complexity, no privileges required, but user interaction (authenticated user clicking the malicious link) is necessary. The impact primarily affects confidentiality due to potential session hijacking or credential theft, with limited impact on integrity and availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability affects only the specified pfSense CE version 7.0.8_2, which is a widely used open-source firewall and routing platform, often deployed in enterprise and organizational network perimeters. The flaw is located in a web interface component related to Suricata IDS/IPS file checking, which is typically accessed by administrators or users with elevated privileges, increasing the risk if exploited. Overall, this vulnerability represents a moderate risk that could be leveraged for targeted attacks against authenticated users managing pfSense CE devices.

For European organizations, this vulnerability poses a moderate risk primarily to network security administrators and operators who use pfSense CE 7.0.8_2 with Suricata enabled. Successful exploitation could lead to session hijacking, credential theft, or execution of arbitrary scripts in the context of the administrative interface, potentially allowing attackers to gain unauthorized access or escalate privileges indirectly. This could compromise the firewall's integrity and the security posture of the protected network segments. Given pfSense's role as a perimeter defense device, exploitation could facilitate lateral movement or data exfiltration within the organization. The requirement for user authentication and interaction limits the attack surface but does not eliminate risk, especially in environments where phishing or social engineering attacks are prevalent. The medium severity score reflects these considerations. Organizations in Europe relying on pfSense CE for critical infrastructure or sensitive data protection should consider this vulnerability a priority for remediation to maintain compliance with data protection regulations such as GDPR and to uphold network security standards.

1. Immediate mitigation involves restricting access to the Suricata file check interface to trusted administrators only, ideally through network segmentation and VPN access controls. 2. Implement strict input validation and output encoding on the 'filehash' parameter within the web interface to neutralize HTML and script characters, preventing script injection. Since no official patch is currently available, organizations should monitor Netgate's advisories for updates and apply patches promptly once released. 3. Employ web application firewalls (WAFs) or intrusion prevention systems (IPS) with rules designed to detect and block reflected XSS payloads targeting the pfSense web interface. 4. Educate administrators about the risks of clicking on unsolicited or suspicious links, especially those targeting the pfSense management interface, to reduce the likelihood of successful social engineering. 5. Regularly audit and monitor pfSense logs for unusual access patterns or error messages that may indicate attempted exploitation. 6. Consider upgrading to newer, unaffected versions of pfSense CE when available, or temporarily disable the Suricata file check feature if feasible until a patch is applied.