CVE-2025-69690
Undergoing Analysis Undergoing Analysis - In Progress
Code Execution via PHP Object Injection in Netgate pfSense CE

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: MITRE

Description
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2025-69690
EUVD
EUVD-2025-209738
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netgate pfsense_ce 2.7.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

If exploited, this vulnerability could allow an attacker with administrative access to execute arbitrary PHP code on the system via the module installer using a specially crafted backup file.

Since only administrators have access to the installer, the impact is limited to users with admin privileges.

Executive Summary

The vulnerability in Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file that contains a serialized PHP object with the post_reboot_commands property.

However, the supplier disputes this vulnerability because the installer is only accessible to administrators who are intentionally allowed to execute PHP code.

Compliance Impact

This vulnerability allows authenticated administrators to execute arbitrary code as root, potentially leading to full system compromise, credential theft, and firewall takeover.

Such a compromise could result in unauthorized access to sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and health information.

However, since the vulnerability requires administrative access and is considered by the vendor as 'authenticated administrative abuse,' the risk is limited to trusted users with elevated privileges.

No official patches have been provided, which may complicate remediation efforts and compliance obligations.

Detection Guidance

This vulnerability involves the use of a malicious backup file containing a crafted serialized PHP object that executes commands via the post_reboot_commands property during a configuration restore in pfSense CE 2.7.2.

Detection can focus on identifying unauthorized or suspicious restore operations involving backup files, especially those containing serialized PHP objects.

Since the exploit requires administrative access to upload and restore the malicious backup, monitoring administrative actions and logs related to configuration restores is important.

  • Check pfSense system logs for restore operations or uploads of backup files.
  • Use commands to inspect recent file uploads or modifications in the pfSense configuration directory.
  • Monitor for execution of unexpected commands or processes triggered after a reboot or restore.

Specific commands are not provided in the available resources, but general Linux commands such as 'ls -lt /cf/conf/' to check recent configuration files, 'grep' to search logs for restore events, and 'ps aux' to look for suspicious processes may be useful.

Mitigation Strategies

Immediate mitigation steps include restricting administrative access to the pfSense web interface to trusted users only, as the vulnerability requires administrative privileges to exploit.

Monitor and audit all configuration restore operations and backup file uploads to detect any unauthorized or suspicious activity.

Avoid restoring backup files from untrusted sources or those that have not been verified.

Since the vendor has not issued a patch and considers this behavior as authenticated administrative abuse, enforcing strong authentication, using multi-factor authentication, and limiting admin accounts can reduce risk.

Consider isolating the pfSense management interface from general network access to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69690. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart