Remote Code Execution in Netgate pfSense CE 2.8.0 by XMLRPC API
CVE-2025-69691

9.9CRITICAL

Key Information:

Vendor: Netgate
Status: pfSense CE
Vendor: CVE Published:; 8 May 2026

What is CVE-2025-69691?

The pfSense CE version 2.8.0 from Netgate has a vulnerability in its XMLRPC API that can potentially allow unauthorized code execution through the pfsense.exec_php function. While the vendor claims that this API can only be accessed by administrators who have the explicit right to execute PHP commands, there are concerns about the security implications and risks involved. This highlights the importance of ensuring that administrative controls are not solely relied upon to protect against potential misuse.

References

https://www.linkedin.com/in/nelson-adhepeau/

https://seclists.org/fulldisclosure/2026/Feb/16

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Jan 9, 2026

CVE-2025-69691 Data

JSON