CVE-2025-69691
CriticalSummary
Netgate pfSense CE version 2.8.0 allows code execution via the XMLRPC API using pfsense.exec_php. The supplier disputes this vulnerability as the API call is only available to admins who are intentionally allowed to execute PHP code.
Risk Assessment
Exploitation of this vulnerability could lead to unauthorized code execution on the server, posing a serious security threat to the system.
Recommendation
It is recommended to restrict access to the XMLRPC API to trusted administrators and to monitor and audit calls to pfsense.exec_php.
Original NVD description (English source)
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

