pfSense CE 2.7.2 RCE via Module Installer Serialized PHP Object
CVE-2025-69690 Published on May 8, 2026

Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.

NVD

Vulnerability Analysis

CVE-2025-69690 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2025-69690. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2025-69690 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

What is a Mass Assignment Vulnerability?

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

CVE-2025-69690 has been classified to as a Mass Assignment vulnerability or weakness.


Products Associated with CVE-2025-69690

Want to know whenever a new CVE is published for Netgate Pfsense? stack.watch will email you.

Netgate Pfsense