Executive Summary

CVE-2025-69691 is a critical vulnerability in Netgate pfSense Community Edition version 2.8.0 that allows authenticated administrators to execute arbitrary PHP code as the root user via the XMLRPC API method called pfsense.exec_php.

This API endpoint is enabled by default and accessible over HTTPS using Basic Authentication. Many deployments use default credentials (admin:pfsense), making it easier for attackers with admin access to exploit this.

Because the API does not validate or sandbox the PHP code executed, an attacker can send a crafted XMLRPC request to run system commands immediately with root privileges.

The vendor acknowledges this behavior as expected for authenticated users and has not issued a patch.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to full system compromise because attackers with administrative access can execute arbitrary commands as root.

• Immediate execution of system commands with root privileges.
• Potential persistent compromise of the firewall system.
• Credential theft and unauthorized access.
• Complete takeover of the firewall device, potentially disrupting network security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying if the pfSense CE 2.8.0 system is running and if the XMLRPC API method pfsense.exec_php is accessible. Since the endpoint is enabled by default and accessible via HTTPS with Basic Authentication, scanning for this API endpoint and checking for default or weak admin credentials can help detect potential exploitation.

Commands to detect this might include using tools like curl or wget to send crafted XMLRPC requests to the pfSense device to verify if the pfsense.exec_php method is accessible and executable. For example, a curl command to test the API endpoint with admin credentials could be used.

• curl -u admin:pfsense -X POST -H "Content-Type: text/xml" --data '<methodCall><methodName>pfsense.exec_php</methodName><params><param><value><string>whoami</string></value></param></params></methodCall>' https://[pfsense-ip]/xmlrpc.php

Monitoring logs for unusual XMLRPC API calls or unexpected PHP code execution can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the XMLRPC API endpoint to trusted administrators only and changing default credentials to strong, unique passwords to prevent unauthorized access.

Since the vendor has not issued a patch and considers this behavior expected for authenticated users, it is critical to limit administrative access strictly and monitor for suspicious activity.

• Disable or restrict the XMLRPC API endpoint if it is not needed.
• Enforce strong authentication policies and rotate admin passwords.
• Implement network-level controls such as firewall rules to limit access to the pfSense management interface.
• Monitor system and API logs for unusual or unauthorized commands.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated administrative users to execute arbitrary code as root on pfSense CE 2.8.0, potentially leading to full system compromise, credential theft, and firewall takeover.

Such a compromise could result in unauthorized access to sensitive data or disruption of security controls, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and health information.

However, since the vulnerability requires administrative authentication and is considered by the vendor as expected behavior for admins, the direct compliance impact depends on the organization's access controls and monitoring practices.

Useful 0 Not Useful 0