pfSense

The isvalidpid() function takes a $pidfile parameter and executes a shell command using that parameter without checking if the file exists first or escaping the file before execution.

As a consequence, it is possible in certain circumstances for an authenticated user to pass parameters to the function resulting in command execution.

A specific example is stopping an OpenVPN service via status_services.php. The code that handles stopping the service uses the id parameter when forming a PID file path, and since that value is not fully validated, a malicious value can trigger command execution.

Users must be authenticated and have privileges to access status_services.php to trigger the issue in that manner.

Simple POC attached.