Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69691

CVE-2025-69691: pfSense CE RCE Vulnerability via XMLRPC

CVE-2025-69691 is a remote code execution vulnerability in Netgate pfSense CE 2.8.0 affecting the XMLRPC API. Attackers can execute PHP code via the pfsense.exec_php function. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-69691 Overview

CVE-2025-69691 affects Netgate pfSense Community Edition (CE) 2.8.0. The vulnerability allows code execution through the XMLRPC API via the pfsense.exec_php method. An authenticated attacker with admin-level API credentials can submit arbitrary PHP code for execution on the firewall.

Netgate disputes this issue. The vendor states that the pfsense.exec_php API call is restricted to administrators and is intentionally designed to execute PHP code as part of legitimate configuration synchronization functionality. The weakness is categorized as Improper Access Control [CWE-284].

Critical Impact

An attacker holding admin credentials, or one who can hijack an admin session, can execute arbitrary PHP on the pfSense host, leading to full firewall compromise. The vendor disputes the issue as intended behavior.

Affected Products

  • Netgate pfSense Community Edition (CE) 2.8.0
  • Deployments exposing the XMLRPC API to untrusted networks
  • Configurations using pfsense.exec_php for HA synchronization

Discovery Timeline

  • 2026-05-08 - CVE-2025-69691 published to the National Vulnerability Database
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2025-69691

Vulnerability Analysis

The pfSense XMLRPC API exposes the pfsense.exec_php remote procedure call. This method accepts a string containing PHP code and evaluates it on the target firewall. The function exists primarily to support configuration synchronization between High Availability (HA) peers.

When an admin authenticates to the XMLRPC endpoint, any PHP payload supplied to pfsense.exec_php runs in the context of the pfSense web server process. The vendor classifies this as intended administrative functionality. Security researchers classify it as an exposed code execution sink that converts an admin credential or session compromise into immediate host takeover.

Root Cause

The root cause is an authenticated code execution primitive intentionally exposed through the management API. There is no input filtering on the PHP body because the method is designed to evaluate arbitrary code. Access control relies entirely on XMLRPC authentication and on the assumption that the API is not reachable by untrusted clients.

Attack Vector

An attacker who obtains admin credentials, replays a captured session, or chains a separate authentication or CSRF flaw can submit a PHP payload to the XMLRPC endpoint. The payload executes with the privileges of the pfSense management process, enabling persistence, traffic interception, lateral movement, and rule modification. The attack vector is network-based and exploitable wherever the management interface or XMLRPC endpoint is reachable.

No verified public exploit code is associated with this CVE at this time. Technical details are referenced in the Full Disclosure Mailing List Post.

Detection Methods for CVE-2025-69691

Indicators of Compromise

  • XMLRPC POST requests to /xmlrpc.php containing the pfsense.exec_php method name from unexpected source addresses
  • New or modified PHP files under /usr/local/www/ or /conf/ outside of patch windows
  • Unexpected outbound connections initiated by the pfSense php-fpm or lighttpd process
  • New cron entries, packages, or shell users added to the firewall configuration

Detection Strategies

  • Inspect web server logs for xmlrpc.php requests and correlate against the source IPs authorized for HA synchronization
  • Alert on any pfsense.exec_php invocation originating from outside the HA peer network
  • Monitor the pfSense config.xml revision history for changes not tied to an approved change ticket
  • Baseline normal XMLRPC volumes and flag spikes that may indicate brute-force or scripted abuse

Monitoring Recommendations

  • Forward pfSense system, authentication, and web server logs to a centralized SIEM for long-term retention
  • Track failed and successful logins to the WebGUI and XMLRPC endpoints by source IP
  • Enable file integrity monitoring on firewall configuration directories where feasible

How to Mitigate CVE-2025-69691

Immediate Actions Required

  • Restrict the pfSense management interface and XMLRPC endpoint to trusted management networks only
  • Rotate all admin passwords and API credentials, and enforce multi-factor authentication on the WebGUI
  • Audit the HA synchronization peer IP allowlist and remove unused entries
  • Review recent config.xml changes, installed packages, and cron jobs for unauthorized modifications

Patch Information

Netgate disputes CVE-2025-69691 and treats pfsense.exec_php as intended behavior for administrators. No vendor patch has been issued. Operators should monitor official Netgate advisories for updates and apply hardening rather than wait for a code fix. Refer to the Full Disclosure Mailing List Post for the original report.

Workarounds

  • Bind the WebGUI and XMLRPC services to a dedicated management interface unreachable from WAN or user networks
  • Use firewall rules to allow XMLRPC traffic only from the HA peer address when HA is in use, and block it entirely when HA is not deployed
  • Place the management interface behind a VPN and require certificate-based authentication
  • Apply the principle of least privilege to admin accounts and remove unused administrative users
bash
# Example pfSense firewall rule restricting XMLRPC to the HA peer
# Interface: SYNC (dedicated HA interface)
# Action: Pass
# Protocol: TCP
# Source: <HA_PEER_IP>/32
# Destination: This Firewall (self)
# Destination Port: 443 (or custom WebGUI port)
#
# Block XMLRPC on all other interfaces:
# Action: Block
# Protocol: TCP
# Source: any
# Destination: This Firewall
# Destination Port: 443
# Advanced: HTTP request path matches /xmlrpc.php (via package such as pfBlockerNG/Snort)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.