CVE-2025-34177 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting Netgate's pfSense CE version 7.0.8_2, specifically within the Suricata package interface at the /suricata/suricata_flow_stream.php endpoint. The vulnerability arises because the 'policy_name' parameter is not properly sanitized for HTML or script content before being rendered on the web page. This improper neutralization of input (CWE-79) allows an authenticated attacker, who has at least 'WebCfg - Services: suricata package' permissions, to inject malicious scripts that are stored and subsequently executed in the context of other users viewing the affected page. The vulnerability does not require user interaction beyond authentication, and the attacker does not need elevated privileges beyond the specified web configuration permission. The CVSS 4.0 score is 5.1, reflecting a medium severity with network attack vector, low complexity, no privileges required beyond limited authentication, and partial confidentiality impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could be leveraged to perform session hijacking, defacement, or other malicious actions within the pfSense web interface, potentially compromising administrative control or leaking sensitive information.

For European organizations using pfSense CE 7.0.8_2 with the Suricata package enabled, this vulnerability poses a risk to the integrity and confidentiality of their firewall management interfaces. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the pfSense web UI, potentially leading to session hijacking, unauthorized configuration changes, or leakage of sensitive network information. Since pfSense is widely used in small to medium enterprises and some larger organizations for firewall and routing, exploitation could disrupt network security management. The requirement for authenticated access with specific permissions limits the attack surface to insiders or compromised accounts, but insider threats or credential theft remain realistic risks. Given the critical role of pfSense in perimeter defense, any compromise could have cascading effects on network availability and security posture. European organizations with strict regulatory requirements (e.g., GDPR) could face compliance issues if such vulnerabilities lead to data breaches or unauthorized access.

1. Immediately restrict access to the pfSense web interface to trusted administrators and enforce strong authentication mechanisms, including multi-factor authentication (MFA) where possible. 2. Limit the number of users with 'WebCfg - Services: suricata package' permissions to the minimum necessary. 3. Monitor and audit user activities within the pfSense web UI to detect suspicious behavior indicative of exploitation attempts. 4. Implement web application firewall (WAF) rules to detect and block malicious payloads targeting the Suricata package interface. 5. Until an official patch is released, consider disabling the Suricata package or restricting its web configuration access if feasible. 6. Educate administrators about the risks of stored XSS and encourage immediate reporting of any unusual interface behavior. 7. Regularly check for updates from Netgate and apply patches promptly once available. 8. Conduct internal penetration testing focusing on authenticated web interface vulnerabilities to identify similar issues proactively.