← Back
CVE-2025-69691
critical
CVSS 9.9
Vulnerability in pfsense (CVE-2025-69691)
Summary
vulnerability in pfsense (CVE-2025-69691). Successful exploitation can lead to full system takeover.
AI summary openai / gpt-4o
Netgate pfSense CE 2.8.0 has a vulnerability in its XMLRPC API that allows attackers to execute arbitrary code. While targeted at admin users, if an attacker gains admin access, it can compromise the entire system. If your company uses this product, consider restricting API usage or strengthening authentication measures. This is similar in cause and risk to highly impactful vulnerabilities like Heartbleed.
The vulnerability resides in the XMLRPC API's pfsense.exec_php method. This endpoint is enabled by default and accessible via HTTPS using Basic Authentication. Attackers can execute arbitrary PHP code using a curl request given admin credentials. The affected version is pfSense CE 2.8.0, with no patch available from the vendor. Mitigation may involve changing admin credentials and strengthening API access restrictions.
❓ What is the problem
Code execution through XMLRPC API's pfsense.exec_php method.
📍 Affected scope
Netgate pfSense CE 2.8.0
🔥 Severity
Critical severity with CVSS score 9.9, enabling full remote root compromise.
🔧 How to fix
No vendor patch available; recommended to restrict XMLRPC API access and strengthen authentication.
🛡️ Workaround
Change admin credentials and apply API access restrictions.
🔍 Detection
Monitor for unauthorized access attempts to XMLRPC API using logging and alerting tools.
Related past incidents Similar incidents extracted from past CVEs
Another RCE in pfSense CE demonstrating similar security concerns.
If this happens at your company Expected impact per business scenario
📌 Corporate networks using pfSense for network security.
Potential full control and data leakage if admin credentials are compromised.
📌 Managed service providers using pfSense for clients.
Compromise of client networks and lateral movement to other sensitive systems.
📌 Organizations relying on pfSense for secure routing and firewall.
Loss of firewall integrity, leading to unauthorized access and data breaches.
Recommended action
Monitor API access, change default credentials, and implement strict API access controls.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'pfsense' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `pfsense` を grep し、稼働しているサービス・バージョンを把握する。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。