CVE-2025-69691: Critical 9.9 Rating Disputed in Netgate pfSense CE 2.8.0 Code Execution Claim

A newly published vulnerability tracked as CVE-2025-69691 has been assigned a critical severity score of 9.9, claiming that Netgate pfSense CE 2.8.0 permits unauthenticated code execution through the XMLRPC API via the pfsense.exec_php function. The disclosure has drawn immediate attention due to pfSense's widespread deployment as an open-source firewall and routing platform, but the assessment is already facing significant pushback.

Netgate, the supplier behind pfSense, has formally disputed the vulnerability classification. According to the vendor, the pfsense.exec_php API call is restricted to authenticated administrators only, and the ability for admins to execute PHP code is an intentional design feature rather than a security flaw. This dispute centers on whether the functionality constitutes an exploitable vulnerability or documented administrative capability. The CVSS 9.9 rating assumes the API is accessible to unauthorized actors, a premise the supplier explicitly rejects.

The conflicting assessments create uncertainty for security teams evaluating exposure. Organizations running pfSense CE 2.8.0 should review XMLRPC API exposure and administrative access controls while awaiting further clarification from independent security researchers or additional analysis from Patchstack, which published the initial finding. The incident highlights ongoing tensions in vulnerability disclosure processes, particularly when severity ratings conflict with vendor interpretations of intended functionality. Until consensus emerges, defenders must weigh the disputed claim against their own threat models and network architectures.