External risk intelligence

Netgate pfSense CE could allow internal attacker to gain full system control

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2025-69691

An internal attacker with valid administrative credentials could exploit the Netgate pfSense CE firewall to run unauthorized commands, potentially leading to full system control. This exposes the business to significant risk, as it could allow unauthorized manipulation of network traffic and compromise the security pe…

2Halo Surface Signal

Pfsense

2.8.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-69691

The vulnerability affects an administrative API on a firewall appliance. Such interfaces are designed to be restricted to internal management networks and are not intended to be publicly exposed. Exploitation requires valid administrative credentials, and common deployment patterns involve keeping management services behind internal controls rather than on the public internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in Netgate pfSense CE's XMLRPC API that could allow code execution. This is significant because it impacts a widely used firewall platform, and an attacker with existing administrative access could potentially exploit it.

  • Attackers can execute arbitrary PHP code.
  • Requires administrative privileges.

Attack Path

How an attacker could exploit the issue

An attacker with administrative credentials could exploit this flaw in the pfSense CE 2.8.0 XMLRPC API to execute arbitrary PHP code on the system. This could allow them to take full control of the firewall, potentially leading to network compromise.

  • Requires admin login.
  • Targets XMLRPC API.
  • Enables remote code execution.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability less appealing due to its targeting of a privileged administrative API on a firewall appliance. Exploitation requires administrative credentials, and these systems are typically secured behind internal network defenses.

  • Requires admin credentials.
  • Likely not internet-facing.
  • Vendor disputes vulnerability.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline any Netgate pfSense CE 2.8.0 instances if they are exposed to untrusted networks, given the critical risk of unauthenticated code execution. While the vendor disputes the severity due to administrative access requirements, the potential for a severe impact warrants immediate attention.

  • Restrict XMLRPC API access to trusted internal networks.
  • Monitor logs for suspicious `pfsense.exec_php` calls.
  • Investigate alternative mitigation or upgrade paths.

Frequently asked questions

What is Netgate pfSense CE?

Netgate pfSense CE is a widely adopted open-source firewall and router platform used for network security and traffic management across various environments, from home networks to large corporations.

What is the core weakness in CVE-2025-69691?

CVE-2025-69691 is characterized by CWE-284 (Improper Access Control) and CWE-915 (Improperly Controlled Dynamic Code Evaluation), allowing arbitrary code execution within the XMLRPC API.

How could an attacker exploit CVE-2025-69691?

Exploitation of CVE-2025-69691 requires an attacker to possess administrative credentials for the pfSense system. The vulnerability allows for the execution of arbitrary PHP code through the XMLRPC API, which could lead to a complete compromise of the firewall.

What is the relevance of CVE-2025-69691 to security?

This vulnerability is significant because it affects a critical network security device, pfSense CE, and allows for remote code execution with administrative privileges. While Netgate disputes this as intended administrative functionality, security researchers classify it as a severe flaw.

What are the recommended responses to CVE-2025-69691?

Given Netgate's dispute of the vulnerability and lack of a specific patch, users are advised to restrict access to the XMLRPC API to trusted internal networks. Monitoring logs for suspicious activity and investigating alternative mitigation or upgrade paths are also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified