Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
CVE-2025-69691: pfSense XMLRPC API allows malicious code execution by admins
CVE-2025-69691
Summary
A security issue exists in pfSense CE 2.8.0 that allows administrators to execute unauthorized code through the XMLRPC API. This could potentially allow an attacker to gain control of the system if an administrator's credentials are compromised. To address this, consider restricting access to the XMLRPC API or updating to a patched version.
Original title
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally a...
Original description
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.
Vulnerability type
CWE-284
Improper Access Control
CWE-915
Published: 8 May 2026 · Updated: 28 May 2026 · First seen: 8 May 2026