← back
CVE-2025-69690

CVE-2025-69690

CVSS 9.1 CRITICALEPSS 0.6%CWE-502CWE-915
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found1
githubgithub.com/privlabs/CVE-2025-69690-CVE-2025-696910
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://seclists.org/fulldisclosure/2026/Feb/16https://www.linkedin.com/in/nelson-adhepeau/