Security researcher Nelson Adhepeau has disclosed two critical authenticated Remote Code Execution (RCE) vulnerabilities affecting Netgate pfSense Community Edition versions 2.7.2 and 2.8.0. CVE-2025-69690 involves unsafe deserialization within the configuration restore mechanism, allowing an administrator to execute arbitrary PHP code with root privileges via a malicious backup file containing a crafted PHP object.
The second vulnerability, CVE-2025-69691, identifies a critical flaw in the XMLRPC API's pfsense.exec_php method, which permits direct execution of PHP code without sandboxing or restrictions. Despite the potential for full system compromise and persistent backdoor deployment, the vendor has classified these issues as expected administrative behavior and currently has no plans to issue security patches.
Top comments (0)