CVE-2025-69691 Overview
CVE-2025-69691 affects Netgate pfSense Community Edition (CE) 2.8.0. The vulnerability allows code execution through the XMLRPC API via the pfsense.exec_php method. An authenticated attacker with admin-level API credentials can submit arbitrary PHP code for execution on the firewall.
Netgate disputes this issue. The vendor states that the pfsense.exec_php API call is restricted to administrators and is intentionally designed to execute PHP code as part of legitimate configuration synchronization functionality. The weakness is categorized as Improper Access Control [CWE-284].
Critical Impact
An attacker holding admin credentials, or one who can hijack an admin session, can execute arbitrary PHP on the pfSense host, leading to full firewall compromise. The vendor disputes the issue as intended behavior.
Affected Products
- Netgate pfSense Community Edition (CE) 2.8.0
- Deployments exposing the XMLRPC API to untrusted networks
- Configurations using pfsense.exec_php for HA synchronization
Discovery Timeline
- 2026-05-08 - CVE-2025-69691 published to the National Vulnerability Database
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2025-69691
Vulnerability Analysis
The pfSense XMLRPC API exposes the pfsense.exec_php remote procedure call. This method accepts a string containing PHP code and evaluates it on the target firewall. The function exists primarily to support configuration synchronization between High Availability (HA) peers.
When an admin authenticates to the XMLRPC endpoint, any PHP payload supplied to pfsense.exec_php runs in the context of the pfSense web server process. The vendor classifies this as intended administrative functionality. Security researchers classify it as an exposed code execution sink that converts an admin credential or session compromise into immediate host takeover.
Root Cause
The root cause is an authenticated code execution primitive intentionally exposed through the management API. There is no input filtering on the PHP body because the method is designed to evaluate arbitrary code. Access control relies entirely on XMLRPC authentication and on the assumption that the API is not reachable by untrusted clients.
Attack Vector
An attacker who obtains admin credentials, replays a captured session, or chains a separate authentication or CSRF flaw can submit a PHP payload to the XMLRPC endpoint. The payload executes with the privileges of the pfSense management process, enabling persistence, traffic interception, lateral movement, and rule modification. The attack vector is network-based and exploitable wherever the management interface or XMLRPC endpoint is reachable.
No verified public exploit code is associated with this CVE at this time. Technical details are referenced in the Full Disclosure Mailing List Post.
Detection Methods for CVE-2025-69691
Indicators of Compromise
- XMLRPC POST requests to /xmlrpc.php containing the pfsense.exec_php method name from unexpected source addresses
- New or modified PHP files under /usr/local/www/ or /conf/ outside of patch windows
- Unexpected outbound connections initiated by the pfSense php-fpm or lighttpd process
- New cron entries, packages, or shell users added to the firewall configuration
Detection Strategies
- Inspect web server logs for xmlrpc.php requests and correlate against the source IPs authorized for HA synchronization
- Alert on any pfsense.exec_php invocation originating from outside the HA peer network
- Monitor the pfSense config.xml revision history for changes not tied to an approved change ticket
- Baseline normal XMLRPC volumes and flag spikes that may indicate brute-force or scripted abuse
Monitoring Recommendations
- Forward pfSense system, authentication, and web server logs to a centralized SIEM for long-term retention
- Track failed and successful logins to the WebGUI and XMLRPC endpoints by source IP
- Enable file integrity monitoring on firewall configuration directories where feasible
How to Mitigate CVE-2025-69691
Immediate Actions Required
- Restrict the pfSense management interface and XMLRPC endpoint to trusted management networks only
- Rotate all admin passwords and API credentials, and enforce multi-factor authentication on the WebGUI
- Audit the HA synchronization peer IP allowlist and remove unused entries
- Review recent config.xml changes, installed packages, and cron jobs for unauthorized modifications
Patch Information
Netgate disputes CVE-2025-69691 and treats pfsense.exec_php as intended behavior for administrators. No vendor patch has been issued. Operators should monitor official Netgate advisories for updates and apply hardening rather than wait for a code fix. Refer to the Full Disclosure Mailing List Post for the original report.
Workarounds
- Bind the WebGUI and XMLRPC services to a dedicated management interface unreachable from WAN or user networks
- Use firewall rules to allow XMLRPC traffic only from the HA peer address when HA is in use, and block it entirely when HA is not deployed
- Place the management interface behind a VPN and require certificate-based authentication
- Apply the principle of least privilege to admin accounts and remove unused administrative users
# Example pfSense firewall rule restricting XMLRPC to the HA peer
# Interface: SYNC (dedicated HA interface)
# Action: Pass
# Protocol: TCP
# Source: <HA_PEER_IP>/32
# Destination: This Firewall (self)
# Destination Port: 443 (or custom WebGUI port)
#
# Block XMLRPC on all other interfaces:
# Action: Block
# Protocol: TCP
# Source: any
# Destination: This Firewall
# Destination Port: 443
# Advanced: HTTP request path matches /xmlrpc.php (via package such as pfBlockerNG/Snort)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
