This security advisory details two critical authenticated Remote Code Execution (RCE) vulnerabilities, CVE-2025-69690 and CVE-2025-69691, affecting Netgate pfSense Community Edition versions 2.7.2 and 2.8.0 respectively. Both vulnerabilities allow authenticated administrators to execute arbitrary code with root privileges, leading to complete firewall takeover, persistent compromise, and data exfiltration.
CVE-2025-69690, present in pfSense CE 2.7.2, leverages unsafe deserialization within the configuration restore mechanism. By uploading a crafted backup file containing a malicious PHP object, an attacker can inject and execute commands via mwexec(). The second vulnerability, CVE-2025-69691, affects pfSense CE 2.8.0 and exploits an exposed XMLRPC API method, pfsense.exec_php, which executes arbitrary PHP code as root without proper validation or restrictions. This is particularly critical as the endpoint is enabled by default and often protected by default "admin:pfsense" credentials.
Despite the severe impact, Netgate classified both issues as "expected behavior" for authenticated administrators and indicated no patches would be issued for pfSense CE 2.8.0, with the 2.7.2 issue also unpatched. The vulnerabilities were disclosed after a standard 90-day responsible disclosure timeline, following vendor notification in December 2025 and CVE assignment in January 2026.
Top comments (0)