External risk intelligence

Netgate pfSense CE could allow an internal attacker to gain full system control.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2025-69690

An internal attacker with administrative access to Netgate pfSense CE can run unauthorized commands to take full control of the system. This allows them to modify critical security rules and intercept internal network traffic, potentially leading to long-term compromise of your network infrastructure.

2Halo Surface Signal

Deserialization

Pfsense

2.7.2

External exposure likelihood

Halo Surface Signal score for CVE-2025-69690

The vulnerability affects the administrative interface of a network gateway. While the appliance itself is commonly internet-facing, its management interfaces are typically restricted to internal networks or VPNs. Public exposure of this administrative portal is non-standard, requires specific misconfiguration, and is not a default deployment pattern.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Netgate pfSense CE allows an attacker with administrative access to execute arbitrary code by uploading a crafted backup file. Because this requires administrative privileges, the vendor disputes the severity, stating it's an intended feature for administrators to run custom commands.

Administrative access required to exploit.
Potentially allows full system compromise.
Impacts network gateway security.

Attack Path

How an attacker could exploit the issue

An attacker with administrative privileges could abuse this flaw to execute arbitrary code by uploading a crafted backup file containing a serialized PHP object. This object, when processed by the module installer, would allow the attacker to define commands to run after a reboot, effectively achieving code execution on the system.

Requires admin access.
Uses module installer feature.
Targets PHP object deserialization.

Live Threat

Current exploitation, exposure, and threat context

Attackers are unlikely to weaponize this vulnerability due to its specific requirements. The exploit requires administrative access to install modules, and the vendor disputes the severity, stating intentional PHP code execution is permitted for administrators.

Requires admin privileges.
No public exploit available.
Vendor dispute on severity.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching pfSense CE to version 2.7.3 or later to address critical code execution risks. If immediate patching is not feasible, restrict access to the module installer and monitor for suspicious activity, especially involving backup files or the `post_reboot_commands` property.

Patch pfSense to 2.7.3+.
Restrict module installer access.
Monitor for suspicious backup file activity.

Frequently asked questions

What is Netgate pfSense CE?

Netgate pfSense CE is community edition software used as a network firewall and router. It provides advanced features for managing network traffic, security, and connectivity, often deployed in small to medium-sized businesses and by home users for robust network control.

What is the vulnerability in CVE-2025-69690?

CVE-2025-69690 is related to improper handling of serialized PHP objects. Specifically, the module installer in pfSense CE 2.7.2 can be tricked into executing arbitrary code if a specially crafted backup file containing such an object is uploaded.

How can this vulnerability be triggered?

This vulnerability is triggered when an administrator uploads a backup file that contains a serialized PHP object with a specific property, `post_reboot_commands`. The module installer then processes this object, leading to unintended code execution. The installer is only available to administrators, and the vendor indicates that intentional PHP code execution by admins is a feature.

Who should care about this threat advisory?

Organizations using Netgate pfSense CE 2.7.2 should be aware of this. While the vulnerability requires administrative access, making direct external exploitation unlikely, it could be a concern if an attacker first gains administrative control through other means. The Halo Surface Signal indicates this is unlikely to be directly exposed to the internet in a typical configuration.

What is the first step to address this CVE?

The primary recommendation is to update Netgate pfSense CE to version 2.7.3 or a later release. If updating is not immediately possible, restrict access to the module installer and closely monitor for any unusual activity related to uploaded backup files or the `post_reboot_commands` setting.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.