Netgate pfSense CE 2.8.0 XMLRPC API Code Execution
CVE-2025-69691 Published on May 8, 2026

Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

NVD

Vulnerability Analysis

CVE-2025-69691 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2025-69691. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2025-69691 has been classified to as an Authorization vulnerability or weakness.

What is a Mass Assignment Vulnerability?

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

CVE-2025-69691 has been classified to as a Mass Assignment vulnerability or weakness.


Products Associated with CVE-2025-69691

Want to know whenever a new CVE is published for Netgate Pfsense Ce? stack.watch will email you.

Netgate Pfsense Ce