Scan free
HIGHCVE-2025-12490CVSS 8.8

CVE-2025-12490: RCE in Suricata for pfSense

Platform

freebsd

Component

suricata

Fixed in

2.8.2

AI Confidence: highNVDEPSS 26.7%Reviewed: May 2026
View on NVD
Save

CVE-2025-12490 is a Remote Code Execution (RCE) vulnerability affecting Suricata installations within Netgate pfSense CE. This flaw allows authenticated attackers to create arbitrary files on the system, potentially leading to complete system compromise. The vulnerability impacts pfSense versions 7.0.83–pfSense 2.8.1 and the Suricata package 7.0.83. A fix is available in pfSense 2.8.2.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-12490 allows an attacker to execute arbitrary code with root privileges on the affected pfSense firewall. This could lead to complete system takeover, data exfiltration, and disruption of network services. The ability to create arbitrary files as root significantly expands the attacker's capabilities, enabling them to install malware, modify system configurations, and potentially pivot to other systems on the network. This vulnerability is similar in impact to other path traversal vulnerabilities where attackers gain elevated privileges through file manipulation.

Exploitation Context

CVE-2025-12490 was initially reported to ZDI (ZDI-CAN-28085). The vulnerability is considered to have a medium probability of exploitation given the requirement for authentication. Public proof-of-concept code is not currently available, but the path traversal nature of the vulnerability makes it likely that such code will emerge. This CVE was published on 2025-11-06.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

26.70% (96% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentsuricata
VendorNetgate
Affected rangeFixed in
pfSense 2.8.1, Suricata package 7.0.8_3 – pfSense 2.8.1, Suricata package 7.0.8_32.8.2

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-12490 is to upgrade to pfSense version 2.8.2 or later, which includes the necessary fix. If an immediate upgrade is not possible, consider implementing temporary workarounds such as restricting access to Suricata configuration interfaces to trusted users only. Reviewing Suricata configuration files for any unusual or unauthorized file creations can also help detect potential compromise. After upgrading, confirm the fix by attempting to create a file in a restricted directory via the Suricata configuration interface; the attempt should be denied.

How to fix

Actualice el paquete Suricata a la versión corregida proporcionada por Netgate para pfSense. Esto solucionará la vulnerabilidad de path traversal que permite la creación de archivos arbitrarios. Consulte el anuncio de seguridad de Netgate para obtener instrucciones específicas de actualización.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-12490 — RCE in Suricata for pfSense?

CVE-2025-12490 is a Remote Code Execution vulnerability in Suricata installations within Netgate pfSense CE, allowing authenticated attackers to create arbitrary files as root.

Am I affected by CVE-2025-12490 in Suricata for pfSense?

You are affected if you are running pfSense versions 7.0.83–pfSense 2.8.1 and the Suricata package 7.0.83.

How do I fix CVE-2025-12490 in Suricata for pfSense?

Upgrade to pfSense version 2.8.2 or later to resolve the vulnerability. Restrict access to Suricata configuration interfaces as a temporary workaround.

Is CVE-2025-12490 being actively exploited?

While public proof-of-concept code is not currently available, the vulnerability's nature suggests potential for exploitation.

Where can I find the official pfSense advisory for CVE-2025-12490?

Refer to the official Netgate pfSense security advisory for CVE-2025-12490 on the pfSense website.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs