CVE-2025-69690: Critical Code Execution Vulnerability Claimed in Netgate pfSense CE 2.7.2, Supplier Disputes

A critical vulnerability has been disclosed in Netgate pfSense CE 2.7.2, assigned CVE-2025-69690 with a CVSS severity score of 9.1. The flaw allegedly enables remote code execution through the module installer when processing a backup file containing a specially crafted serialized PHP object with the post_reboot_commands property. The disclosure has drawn attention in security circles due to the severity rating and the widespread deployment of pfSense as an open-source firewall and router platform. However, the report comes with a significant caveat: the supplier has formally disputed the vulnerability assessment, arguing that the installer in question is only available under restricted conditions, potentially limiting real-world exploitability.

The technical mechanism described involves PHP object injection via the backup restoration pathway. Serialized PHP objects have long been a vector for exploitation when applications deserialize untrusted data without proper validation. In this case, the post_reboot_commands property appears to provide a hook for arbitrary command execution during system reboot sequences. Security researchers tracking the disclosure note that pfSense has historically been considered a hardened platform, making any claim of critical code execution particularly notable for network administrators and security teams relying on the software for perimeter defense.

The dispute over CVE-2025-69690 raises questions about vulnerability classification and the scope of affected installations. While the CVE record reflects a critical rating, the supplier's objection centers on access controls around the module installer functionality. Organizations running pfSense CE 2.7.2 should monitor for further clarification from both the discloser and Netgate, review access policies to the module installer interface, and assess whether their specific deployment configurations fall within the disputed attack surface. The vulnerability was reported through Patchstack's disclosure program, and additional technical details remain limited pending further analysis or vendor response.