CVE-2025-69691: Netgate pfSense XMLRPC API Allows Admin Code Execution

Executive Summary

A critical vulnerability in Netgate pfSense CE 2.8.0 — tracked as CVE-2025-69691 with a CVSS score of 9.9 — allows authenticated administrators to execute arbitrary PHP code via the XMLRPC API's pfsense.exec_php method. The flaw, disclosed on the Full Disclosure mailing list in February 2026, has drawn a sharp dispute from Netgate, which argues that the API endpoint is intentionally available only to admin users and that such users are already permitted to run PHP code. The disagreement highlights a fundamental tension between the researcher's view of a security boundary violation and the vendor's design philosophy.

Technical Analysis

According to the disclosure published on the Full Disclosure mailing list (February 2026), the vulnerability resides in the XMLRPC API exposed by pfSense CE version 2.8.0. The pfsense.exec_php method accepts arbitrary PHP code as input and executes it on the server without additional sandboxing or privilege checks beyond the initial authentication requirement.

The XMLRPC API in pfSense is designed to allow remote management and automation. The exec_php method, as documented in the pfSense developer API, is intended for plugin and integration use cases. The researcher who reported CVE-2025-69691 argues that the method should not be accessible via the API in its current form, as it effectively grants an authenticated admin the ability to run arbitrary system commands through PHP functions like exec(), system(), or shell_exec().

Netgate's position, as noted in the NVD entry, is that the API call is only available to users who already possess administrative privileges — and that those users are intentionally allowed to execute PHP code. The vendor disputes the classification of this behavior as a vulnerability, stating that the API is functioning as designed.

This dispute is not without precedent. Several network appliance vendors have historically drawn a line at exposing code execution capabilities to authenticated admins, arguing that full administrative access already implies the ability to modify system files and run commands. Security researchers, by contrast, often view any API endpoint that executes arbitrary code — even if authenticated — as a privilege escalation risk, particularly in multi-tenant or delegated admin scenarios.

It is important to note that the disclosure does not include proof-of-concept code, exploit chains, or evidence of in-the-wild exploitation. The CVSS score of 9.9 reflects the ease of exploitation (low attack complexity, no user interaction, network-based) combined with the high impact on confidentiality, integrity, and availability — but only after authentication.

Mitigations & Recommendations

For organizations running pfSense CE 2.8.0, the primary mitigation is to restrict access to the XMLRPC API to trusted IP addresses only. This can be achieved through firewall rules that limit the source IPs permitted to reach the XMLRPC endpoint (typically port 443 or a custom port).

Additionally, administrators should review whether the pfsense.exec_php method is required for their environment. If the XMLRPC API is not actively used for automation or integration, disabling the service entirely reduces the attack surface. Netgate has not released a patch or configuration change that removes or restricts the method as of this writing, so defenders must rely on network-level controls.

Organizations using pfSense in multi-admin environments — where not all users with API access should have full PHP execution rights — should treat this as a priority finding and implement strict access controls or consider upgrading to a version where the API behavior is more granular.