← Back
CVE-2025-69690
critical
CVSS 9.1
Unsafe Deserialization in deserialization (CVE-2025-69690)
Summary
vulnerability in deserialization (CVE-2025-69690). Successful exploitation can lead to full system takeover.
AI summary openai / gpt-4o
Netgate pfSense CE 2.7.2 has a vulnerability allowing dangerous code execution by administrators via utilities. For example, using a system backup file could enable unauthorized access or data breaches. Although intended for administrators only, improper access poses serious system risks. Strengthening administrator credentials and monitoring routine activities is recommended.
The vulnerability in Netgate pfSense CE 2.7.2 allows arbitrary code execution via the module installer with a backup file. It utilizes a serialized PHP object, exploiting the post_reboot_commands property to execute malicious PHP code. An attacker authenticates as an administrator, uploads a malicious configuration file, and leverages fake reboot commands to gain full system access. The vendor deems this normal administrative action and will not issue a patch. Monitoring access logs and system audits are recommended as preventive measures.
❓ What is the problem
Netgate pfSense CE 2.7.2 allows code execution via module installer using a backup file with a serialized PHP object.
📍 Affected scope
Backup/restore mechanism in config.php, pfSense module installer class, unserialize() handling.
🔥 Severity
Critical severity allowing arbitrary code execution and full system compromise.
🔧 How to fix
No fix provided by vendor; considered intended behavior for admins.
🛡️ Workaround
No specific workaround available besides monitoring and access controls.
🔍 Detection
Monitor access logs for suspicious upload activities or unauthorized restore operations.
Related past incidents Similar incidents extracted from past CVEs
Similar RCE vulnerability in pfSense CE 2.8.0 using XMLRPC API method allowing PHP code execution.
Another severe RCE exploit where attackers could execute code remotely due to improper control in logging applications.
Historic vulnerability involving memory exposure that allowed attackers to extract sensitive information.
If this happens at your company Expected impact per business scenario
📌 In an enterprise networking environment using pfSense for network security.
Unauthorized users could employ this vulnerability to compromise network defenses, leading to potential data breaches and network outages.
📌 Deployment in cloud environments for client data protection.
Risk of exposing sensitive client data due to unauthorized access, impacting business reputation and client trust.
📌 Usage in educational institutions' infrastructures for internal network control.
Potential disruption of services and unauthorized alteration of firewall rules, affecting educational operations.
Recommended action
Implement enhanced access controls, monitor system usage closely, and train admins to recognize abnormal activity.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
Audit SBOM/dependencies for affected components.依存マニフェストで影響コンポーネントを特定する。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。