CRITICAL🇵🇱 Wersja polska

CVE-2025-69690

CVSS 9.1v3.1pub. 2026-05-08upd. 2026-05-12

Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Pfsense

    APP
    Pfsense
    2.7.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2025-69691CRITICAL9.9PL ✓ten sam produkt

Netgate pfSense CE 2.8.0 — RCE przez XMLRPC API (pfsense.exec_php)

CVE-2023-29974CRITICAL9.8ten sam produkt

An issue discovered in Pfsense CE version 2.6.0 allows attackers to compromise user accounts via weak password...

CVE-2023-27100CRITICAL9.8ten sam produkt

Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus so...

CVE-2023-29975HIGH7.2ten sam produkt

An issue discovered in Pfsense CE version 2.6.0 allows attackers to change the password of any user without ve...

CVE-2020-19678HIGH7.5ten sam produkt

Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a r...