Cyber Resilience

CVE-2022-40624

CriticalPublic PoCRCE

Published: 20 December 2022

Published
20 December 2022
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8466 99.4th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40624 is a critical-severity OS Command Injection (CWE-78) vulnerability in Pfsense Pfblockerng. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

pfSense pfBlockerNG through version 2.1.4_27 contains an OS command injection vulnerability tracked as CVE-2022-40624 and assigned CWE-78. The flaw resides in the package's handling of the HTTP Host header and permits unauthenticated remote attackers to execute arbitrary operating system commands with root privileges. It carries a CVSS 3.1 base score of 9.8 and is distinct from the earlier CVE-2022-31814 issue affecting the same component.

An attacker with network access to an exposed pfSense instance running the vulnerable pfBlockerNG package can supply a crafted Host header that results in immediate command execution as root. Successful exploitation grants full control of the underlying system, including the ability to modify firewall rules, exfiltrate data, or install persistent malware without requiring authentication or user interaction.

Public references include Netgate's pfBlockerNG documentation and multiple GitHub repositories that publish proof-of-concept exploit code for the issue. The EPSS score reached a peak of 0.9618 and remains at 0.8466, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pfsense
pfblockerng
≤ 2.1.4_27

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References