CVE-2025-53392

Published Jun 28, 2025

Updated

In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI.

Affected Software

2 affected components

Netgate pfSense CE

pfSense pfSense=2.8.0

Event History

Jun 28, 2025

CVE Published

via MITRE·12:00 AM

Data Sourced

via MITRE·12:00 AM

DescriptionSeverityWeakness

Data Sourced

via NVD·11:15 PM

DescriptionSeverityWeaknessAffected Software

Dec 16, 57759

Event

via NVD·12:02 AM

Frequently Asked Questions

What is the severity of CVE-2025-53392?

CVE-2025-53392 is classified as a medium severity vulnerability.

How do I fix CVE-2025-53392?

To mitigate CVE-2025-53392, restrict access to the WebCfg - Diagnostics privilege to trusted users only.

What is the impact of CVE-2025-53392?

CVE-2025-53392 allows unauthorized users to read arbitrary files through a directory traversal attack.

On which version of pfSense CE does CVE-2025-53392 occur?

CVE-2025-53392 affects Netgate pfSense CE version 2.8.0.

Is CVE-2025-53392 considered intended behavior?

The supplier views CVE-2025-53392 as intended behavior for the specified privilege level, although it poses a security risk.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.