CVE-2025-69690: Netgate pfSense CE Module Installer RCE via Backup
CVE-2025-69690 (CVSS 9.1) lets authenticated admins achieve remote code execution on pfSense CE 2.7.2 by crafting a backup file with a serialized PHP object.
Executive Summary
A vulnerability in Netgate pfSense CE version 2.7.2, tracked as CVE-2025-69690 with a CVSS score of 9.1, allows authenticated administrators to execute arbitrary PHP code by uploading a crafted backup file containing a serialized PHP object. The flaw resides in the module installer, which deserializes user-supplied data without proper sanitization. Netgate disputes the finding, arguing the installer is intentionally limited to admin-level users who already have the ability to execute PHP code. The disclosure was published to the Full Disclosure mailing list in February 2026.
Technical Analysis
According to the disclosure on the Full Disclosure mailing list (February 2026), the vulnerability exists in the module installer component of pfSense CE 2.7.2. The installer processes backup files that contain serialized PHP objects. An attacker who has authenticated access to the pfSense web interface — specifically with administrative privileges — can craft a backup file that includes a malicious post_reboot_commands property within the serialized object.
Upon restoration of the backup file via the module installer, the pfSense system deserializes the PHP object without verifying the integrity or origin of the serialized data. This deserialization process triggers execution of the commands embedded in the post_reboot_commands property, resulting in remote code execution on the underlying FreeBSD-based system.
The CVSS 9.1 score reflects the critical nature of the flaw: it requires low attack complexity, low privileges (admin), and no user interaction, while enabling complete compromise of confidentiality, integrity, and availability.
Netgate has publicly disputed the severity and classification of this vulnerability. Their position, as noted in the NVD entry, is that the module installer is a feature designed for administrators who are intentionally permitted to execute PHP code. The dispute centers on whether a privilege escalation or unauthorized action is possible — since the attacker must already be an admin, the marginal risk is limited to scenarios where an admin account is compromised or where a lower-privileged user gains admin access through another vulnerability.
It is important to note that the disclosure does not include a proof-of-concept exploit or evidence of active exploitation in the wild. The vulnerability was reported to Netgate prior to publication, but no official patch or advisory has been released as of this writing.
Mitigations & Recommendations
Given the dispute and the lack of an official patch, defenders should take the following steps:
- Restrict administrative access to the pfSense web interface to a small set of trusted IP addresses or use a VPN for management access.
- Enable multi-factor authentication for all admin accounts to reduce the risk of credential theft leading to exploitation of this flaw.
- Monitor backup file uploads in web server logs — look for unexpected or large backup restorations, especially those initiated outside of maintenance windows.
- Audit admin accounts regularly to ensure no unauthorized or dormant accounts exist.
- Consider downgrading or blocking the module installer feature if it is not required for operations, though this may not be possible through the UI without custom configuration changes.
Organizations running pfSense CE 2.7.2 should treat this as a high-priority finding and evaluate their exposure based on the administrative access controls in place.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
