CVE-2018-4020: OS Command Injection
First published: Mon Dec 03 2018(Updated: )
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_ac_mode` POST parameter parameter.
Credit: talos-cna@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Netgate pfSense | =2.4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2018-4020?
CVE-2018-4020 is a command injection vulnerability in Netgate pfSense CE 2.4.4-RELEASE.
How does CVE-2018-4020 affect Netgate pfSense?
CVE-2018-4020 allows an attacker to execute arbitrary commands on Netgate pfSense CE 2.4.4-RELEASE.
What is the severity of CVE-2018-4020?
CVE-2018-4020 has a severity rating of 7.2 (high).
How can I fix CVE-2018-4020?
To fix CVE-2018-4020, users should update to a patched version of Netgate pfSense CE 2.4.4 or later.
Where can I find more information about CVE-2018-4020?
More information about CVE-2018-4020 can be found at https://talosintelligence.com/vulnerability_reports/TALOS-2018-0690.
- collector/nvd-index
- vendor/netgate
- canonical/netgate pfsense
- version/netgate pfsense/2.4.4