Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69690

CVE-2025-69690: pfSense CE RCE Vulnerability

CVE-2025-69690 is a remote code execution vulnerability in Netgate pfSense CE 2.7.2 affecting the module installer. Attackers can exploit serialized PHP objects to execute arbitrary code. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-69690 Overview

CVE-2025-69690 is a disputed code execution vulnerability in Netgate pfSense Community Edition (CE) 2.7.2. The flaw resides in the module installer, which accepts a backup file containing a serialized PHP object with a post_reboot_commands property. An authenticated administrator can supply a crafted backup that triggers PHP code execution upon deserialization. The issue maps to insecure deserialization of untrusted data [CWE-502]. Netgate disputes the report, stating that the module installer is restricted to administrators who are intentionally permitted to execute PHP code on the appliance.

Critical Impact

An authenticated administrator can leverage a malicious backup file to execute arbitrary PHP code on a pfSense CE 2.7.2 firewall, with full control over the underlying operating system.

Affected Products

  • Netgate pfSense Community Edition (CE) 2.7.2
  • Community build identified by CPE cpe:2.3:a:pfsense:pfsense:2.7.2:*:*:*:community:*:*:*
  • Deployments exposing the pfSense webConfigurator module installer to admin users

Discovery Timeline

  • 2026-05-08 - CVE-2025-69690 published to the National Vulnerability Database (NVD)
  • 2026-05-12 - Last updated in NVD database
  • 2026-05-18 - EPSS score recorded at 0.035% (percentile 10.447)

Technical Details for CVE-2025-69690

Vulnerability Analysis

The vulnerability stems from how the pfSense CE 2.7.2 module installer handles backup files. The installer accepts a backup archive that contains a serialized PHP object. When pfSense deserializes the object using PHP's unserialize() mechanism, properties defined in the payload are restored into a live PHP object. The malicious payload sets the post_reboot_commands property, which is later evaluated by the platform's post-reboot processing logic. Evaluation of the attacker-controlled property results in arbitrary PHP code execution in the context of the webConfigurator process. Netgate characterizes this as intended behavior because module installation is an admin-only function and administrators may run PHP by design. The dispute is reflected in the upstream advisory, but the deserialization sink remains a viable post-compromise persistence and lateral movement primitive once admin credentials are obtained.

Root Cause

The root cause is insecure deserialization [CWE-502]. The installer trusts the structure and contents of a user-supplied backup file and reconstructs PHP objects without validating that the embedded properties are safe to evaluate. Properties such as post_reboot_commands are executed as part of normal post-install flow.

Attack Vector

Exploitation requires network access to the pfSense webConfigurator and valid administrator credentials. The attacker uploads a crafted backup file through the module installer. After deserialization, the embedded post_reboot_commands payload runs PHP code, which can be used to spawn shell commands, modify firewall rules, or establish persistence on the appliance.

No verified proof-of-concept code is publicly available. See the Full Disclosure Mailing List Post for the original report and the vendor dispute.

Detection Methods for CVE-2025-69690

Indicators of Compromise

  • Unexpected uploads to the pfSense module installer endpoint from administrator sessions
  • Backup archive files containing PHP serialized strings referencing post_reboot_commands
  • New or modified entries in pfSense config.xml that include serialized PHP objects in unusual fields
  • Outbound connections from the pfSense host to attacker-controlled infrastructure following module installation

Detection Strategies

  • Inspect uploaded backup files for serialized PHP markers such as O: object signatures and the post_reboot_commands property name
  • Audit pfSense webConfigurator access logs for pkg_mgr_install.php or module installer activity outside scheduled maintenance windows
  • Compare administrator session sources against an allow-list of management workstations and jump hosts

Monitoring Recommendations

  • Forward pfSense system, authentication, and webConfigurator logs to a centralized analytics platform for correlation
  • Alert on reboots that follow module installation events, since the deserialization sink fires during post-reboot processing
  • Track creation of unexpected PHP, shell, or cron artifacts on the firewall filesystem

How to Mitigate CVE-2025-69690

Immediate Actions Required

  • Restrict access to the pfSense webConfigurator to dedicated management networks and trusted source addresses
  • Enforce strong, unique administrator passwords and multi-factor authentication for all pfSense admin accounts
  • Limit the number of accounts with full administrator privileges and audit existing role assignments
  • Treat backup files as sensitive artifacts and only restore backups originating from trusted, integrity-checked sources

Patch Information

Netgate disputes CVE-2025-69690 and has not issued a dedicated security patch, taking the position that module installation is an intentional administrator capability. Operators should monitor the Full Disclosure Mailing List Post and Netgate release notes for any future guidance or hardening changes affecting pfSense CE 2.7.2.

Workarounds

  • Disable or block access to the module installer for accounts that do not require it
  • Require change-control approval and out-of-band verification before any module installation or backup restore
  • Segment pfSense management interfaces from production and user networks using a dedicated management VLAN
  • Validate the integrity of backup files with cryptographic hashes before importing them into pfSense

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.