CVE-2025-34178 is a medium severity stored Cross-Site Scripting (XSS) vulnerability identified in Netgate's pfSense Community Edition (CE) version 7.0.8_2, specifically within the Suricata package's web interface component located at /suricata/suricata_app_parsers.php. The vulnerability arises because the 'policy_name' parameter is not properly sanitized for HTML or script content before being rendered in the web interface. This improper neutralization of input (CWE-79) allows an authenticated attacker with at least 'WebCfg - Services: suricata package' permissions to inject malicious scripts that are stored and subsequently executed in the context of other users viewing the affected page. The CVSS 4.0 base score is 5.1, reflecting a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), no authentication is required (AT:N) but privileges are needed (PR:L), and user interaction is required (UI:P). The vulnerability impacts confidentiality to a low degree (VC:L) but does not affect integrity or availability. No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability could be leveraged to execute arbitrary JavaScript in the browser of an administrator or user with access to the Suricata package interface, potentially leading to session hijacking, credential theft, or unauthorized actions within the pfSense management console. Since the attacker must be authenticated with specific permissions, the exposure is limited to users who have been granted access to the Suricata service configuration, reducing the attack surface but still posing a risk in environments where multiple administrators or users have such privileges.

For European organizations using pfSense CE 7.0.8_2 with the Suricata package enabled, this vulnerability could lead to unauthorized script execution within the administrative web interface. This may result in session hijacking or privilege escalation within the firewall management environment, potentially compromising network security controls. Given that pfSense is widely used in small to medium enterprises and some larger organizations across Europe for firewall and routing functions, exploitation could disrupt network perimeter defenses or lead to data leakage. The impact is particularly significant in regulated sectors such as finance, healthcare, and critical infrastructure, where firewall integrity is paramount. However, the requirement for authenticated access with specific permissions limits the risk to internal threat actors or compromised user accounts rather than external unauthenticated attackers. Nonetheless, insider threats or phishing attacks that gain such credentials could exploit this vulnerability to pivot deeper into organizational networks. The vulnerability does not directly affect availability or integrity of the firewall but compromises the confidentiality of administrative sessions and could facilitate further attacks.

1. Immediately restrict and audit user permissions for the Suricata package within pfSense to ensure only trusted administrators have 'WebCfg - Services: suricata package' access. 2. Implement strict internal access controls and multi-factor authentication (MFA) for all pfSense administrative accounts to reduce the risk of credential compromise. 3. Monitor pfSense web interface logs for unusual activity or injection attempts targeting the 'policy_name' parameter. 4. Until an official patch is released, consider disabling the Suricata package web interface or limiting access to it via network segmentation or firewall rules. 5. Educate administrators on the risks of XSS and safe handling of input fields within the management console. 6. Regularly update pfSense and its packages to the latest versions once patches addressing this vulnerability become available. 7. Employ Content Security Policy (CSP) headers if possible to mitigate the impact of injected scripts. 8. Conduct internal penetration testing focused on web interface vulnerabilities to detect similar issues proactively.