CVE Catalog

CVE-2025-69690

Critical
Published: Translated: NVD NIST

Summary

Netgate pfSense CE version 2.7.2 allows code execution by using the module installer with a backup file containing a serialized PHP object with the post_reboot_commands property.

Risk Assessment

Unauthorized code execution could lead to serious security breaches in the system, especially since the installer is only accessible to admins.

Recommendation

It is recommended to restrict access to the module installer and monitor admin activities to prevent unauthorized code execution.

Original NVD description (English source)

Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS