CVE-2025-69691
Netgate · pfSense CE
Netgate pfSense CE 2.8.0 contains a potential code execution vulnerability in the XMLRPC API via the pfsense.exec_php function.
Executive summary
A vulnerability in Netgate pfSense CE 2.8.0 allows authenticated administrators to execute arbitrary PHP code through the XMLRPC API.
Vulnerability
The vulnerability involves the pfsense.exec_php function within the XMLRPC API. While the vendor disputes the finding, noting that this functionality is restricted to authenticated administrative users, it effectively allows for arbitrary PHP code execution within the system environment.
Business impact
The CVSS score of 9.9 suggests an extremely high impact, though it is mitigated by the requirement for administrative authentication. If an attacker compromises an administrator's credentials, they can gain full control over the firewall, potentially leading to total network compromise and traffic interception.
Remediation
Immediate Action: Enforce strict Multi-Factor Authentication (MFA) for all administrative accounts to mitigate the risk of unauthorized access to the XMLRPC API.
Proactive Monitoring: Audit logs for any administrative activity involving the XMLRPC API or unexpected changes to system configurations.
Compensating Controls: Restrict access to the XMLRPC interface to trusted IP addresses only, limiting the attack surface for potential credential-based attacks.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
While the vendor views this as an administrative feature, the risk of "living off the land" by an attacker with stolen credentials is significant. Security teams should prioritize the protection of administrative credentials and limit API access to known, authorized sources to minimize the risk of abuse.