A security advisory has identified two significant authenticated Remote Code Execution (RCE) vulnerabilities in Netgate pfSense Community Edition versions 2.7.2 and 2.8.0. CVE-2025-69690 exploits unsafe deserialization in the configuration restore mechanism, allowing an attacker with administrative privileges to execute arbitrary commands as root via a malicious PHP object in a backup file.
CVE-2025-69691 involves the XMLRPC API, specifically the pfsense.exec_php method, which permits direct execution of PHP code with full system privileges. While both vulnerabilities are critical in impact, the vendor has declined to issue patches, characterizing the behavior as expected functionality for authenticated administrators. Security professionals are advised to strictly control administrative access to these systems.
Top comments (0)