CVE-2025-69690 Overview
CVE-2025-69690 is a disputed code execution vulnerability in Netgate pfSense Community Edition (CE) 2.7.2. The flaw resides in the module installer, which accepts a backup file containing a serialized PHP object with a post_reboot_commands property. An authenticated administrator can supply a crafted backup that triggers PHP code execution upon deserialization. The issue maps to insecure deserialization of untrusted data [CWE-502]. Netgate disputes the report, stating that the module installer is restricted to administrators who are intentionally permitted to execute PHP code on the appliance.
Critical Impact
An authenticated administrator can leverage a malicious backup file to execute arbitrary PHP code on a pfSense CE 2.7.2 firewall, with full control over the underlying operating system.
Affected Products
- Netgate pfSense Community Edition (CE) 2.7.2
- Community build identified by CPE cpe:2.3:a:pfsense:pfsense:2.7.2:*:*:*:community:*:*:*
- Deployments exposing the pfSense webConfigurator module installer to admin users
Discovery Timeline
- 2026-05-08 - CVE-2025-69690 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
- 2026-05-18 - EPSS score recorded at 0.035% (percentile 10.447)
Technical Details for CVE-2025-69690
Vulnerability Analysis
The vulnerability stems from how the pfSense CE 2.7.2 module installer handles backup files. The installer accepts a backup archive that contains a serialized PHP object. When pfSense deserializes the object using PHP's unserialize() mechanism, properties defined in the payload are restored into a live PHP object. The malicious payload sets the post_reboot_commands property, which is later evaluated by the platform's post-reboot processing logic. Evaluation of the attacker-controlled property results in arbitrary PHP code execution in the context of the webConfigurator process. Netgate characterizes this as intended behavior because module installation is an admin-only function and administrators may run PHP by design. The dispute is reflected in the upstream advisory, but the deserialization sink remains a viable post-compromise persistence and lateral movement primitive once admin credentials are obtained.
Root Cause
The root cause is insecure deserialization [CWE-502]. The installer trusts the structure and contents of a user-supplied backup file and reconstructs PHP objects without validating that the embedded properties are safe to evaluate. Properties such as post_reboot_commands are executed as part of normal post-install flow.
Attack Vector
Exploitation requires network access to the pfSense webConfigurator and valid administrator credentials. The attacker uploads a crafted backup file through the module installer. After deserialization, the embedded post_reboot_commands payload runs PHP code, which can be used to spawn shell commands, modify firewall rules, or establish persistence on the appliance.
No verified proof-of-concept code is publicly available. See the Full Disclosure Mailing List Post for the original report and the vendor dispute.
Detection Methods for CVE-2025-69690
Indicators of Compromise
- Unexpected uploads to the pfSense module installer endpoint from administrator sessions
- Backup archive files containing PHP serialized strings referencing post_reboot_commands
- New or modified entries in pfSense config.xml that include serialized PHP objects in unusual fields
- Outbound connections from the pfSense host to attacker-controlled infrastructure following module installation
Detection Strategies
- Inspect uploaded backup files for serialized PHP markers such as O: object signatures and the post_reboot_commands property name
- Audit pfSense webConfigurator access logs for pkg_mgr_install.php or module installer activity outside scheduled maintenance windows
- Compare administrator session sources against an allow-list of management workstations and jump hosts
Monitoring Recommendations
- Forward pfSense system, authentication, and webConfigurator logs to a centralized analytics platform for correlation
- Alert on reboots that follow module installation events, since the deserialization sink fires during post-reboot processing
- Track creation of unexpected PHP, shell, or cron artifacts on the firewall filesystem
How to Mitigate CVE-2025-69690
Immediate Actions Required
- Restrict access to the pfSense webConfigurator to dedicated management networks and trusted source addresses
- Enforce strong, unique administrator passwords and multi-factor authentication for all pfSense admin accounts
- Limit the number of accounts with full administrator privileges and audit existing role assignments
- Treat backup files as sensitive artifacts and only restore backups originating from trusted, integrity-checked sources
Patch Information
Netgate disputes CVE-2025-69690 and has not issued a dedicated security patch, taking the position that module installation is an intentional administrator capability. Operators should monitor the Full Disclosure Mailing List Post and Netgate release notes for any future guidance or hardening changes affecting pfSense CE 2.7.2.
Workarounds
- Disable or block access to the module installer for accounts that do not require it
- Require change-control approval and out-of-band verification before any module installation or backup restore
- Segment pfSense management interfaces from production and user networks using a dedicated management VLAN
- Validate the integrity of backup files with cryptographic hashes before importing them into pfSense
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
