Netgate pfSense CE Authenticated RCE via Unsafe Deserialization and XMLRPC (CVE-2025-69690/69691) with PoC

Vulnerability Summary: Netgate pfSense CE Remote Code Execution Vulnerabilities Overview The advisory discloses two independent authenticated remote code execution (RCE) vulnerabilities within Netgate pfSense Community Edition. Both vulnerabilities are classified as "expected behavior," and therefore, no patches have been released by the vendor. 1. CVE-2025-69690: RCE resulting from unsafe deserialization. 2. CVE-2025-69691: RCE via the XMLRPC interface. Affected Scope Affected Software: Netgate pfSense Community Edition (CE) Affected Versions: 2.7.2 and 2.8.0 Prerequisites: Requires administrative privileges (Authenticated) Remediation Vendor Response: Netgate has confirmed the reports but categorized them as "expected administrative misuse," without releasing patches. Recommendation: Since the vendor will not provide fixes, administrators are advised to strengthen access control by restricting access to the administration interface and monitoring for anomalous behavior. Vulnerability Details and Exploit Code 1. CVE-2025-69690 (pfsense CE 2.7.2) Description: The configuration restore mechanism lacks whitelist filtering, input validation, or sandboxing when deserializing user-controlled data. Attackers can inject arbitrary commands by uploading a backup file containing malicious serialized PHP objects. CVSS v3.1: 8.8 (High) PoC Payload: 2. CVE-2025-69691 (pfsense CE 2.8.0) Description: pfsense 2.8.0 exposes an XMLRPC API method , which executes arbitrary PHP code with root privileges. This method lacks validation, sandboxing, or restrictions. It is enabled by default and accessible via HTTPS. CVSS v3.1: 9.9 (Critical) Exploit Code**:

Goal Reached Thanks to every supporter — we hit 100%!

Netgate pfSense CE Authenticated RCE via Unsafe Deserialization and XMLRPC (CVE-2025-69690/69691) with PoC