CVE-2025-69690
CriticalSummary
Netgate pfSense CE version 2.7.2 allows code execution by using the module installer with a backup file containing a serialized PHP object with the post_reboot_commands property.
Risk Assessment
Unauthorized code execution could lead to serious security breaches in the system, especially since the installer is only accessible to admins.
Recommendation
It is recommended to restrict access to the module installer and monitor admin activities to prevent unauthorized code execution.
Original NVD description (English source)
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.

