CVE Catalog

CVE-2025-69691

Critical
Published: Translated: NVD NIST

Summary

Netgate pfSense CE version 2.8.0 allows code execution via the XMLRPC API using pfsense.exec_php. The supplier disputes this vulnerability as the API call is only available to admins who are intentionally allowed to execute PHP code.

Risk Assessment

Exploitation of this vulnerability could lead to unauthorized code execution on the server, posing a serious security threat to the system.

Recommendation

It is recommended to restrict access to the XMLRPC API to trusted administrators and to monitor and audit calls to pfsense.exec_php.

Original NVD description (English source)

Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS