Description
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.
Published: 2026-05-08
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the module installer of Netgate pfSense CE 2.7.2. A backup file containing a serialized PHP object with the post_reboot_commands property can be processed by the installer, allowing an attacker to execute arbitrary PHP code. This flaw results in Remote Code Execution through the deserialization of untrusted data, a serious integrity and confidentiality compromise for the affected system.

Affected Systems

The affected system is Netgate pfSense Community Edition version 2.7.2. No other vendors, products, or newer releases are listed as vulnerable.

Risk and Exploitability

The CVSS score is 9.1, indicating a critical severity, and the EPSS score is <1%. The vulnerability is not listed in the CISA KEV catalog. Attacks require access to the module installer, which is normally restricted to administrators. For those privileged users, arbitrary PHP code execution is possible, allowing full compromise of the system.

Generated by OpenCVE AI on May 9, 2026 at 00:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Netgate pfSense CE release that addresses the module installer deserialization issue.
  • Restrict usage of the module installer to strictly verified administrators and monitor their activity.
  • Validate or sanitize backup files before importing, ensuring no serialized objects contain post_reboot_commands or similar executable payloads.
  • Consider disabling the backup import feature if it is not essential for your environment.

Generated by OpenCVE AI on May 9, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Pfsense
Pfsense pfsense
CPEs cpe:2.3:a:pfsense:pfsense:2.7.2:*:*:*:community:*:*:*
Vendors & Products Pfsense
Pfsense pfsense

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Netgate
Netgate pfsense Ce
Vendors & Products Netgate
Netgate pfsense Ce

Sat, 09 May 2026 00:30:00 +0000

Type Values Removed Values Added
Title Code Execution via Module Installer in pfSense CE 2.7.2

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-915
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Code Execution via Module Installer in pfSense CE 2.7.2
Weaknesses CWE-502

Fri, 08 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.
References

Subscriptions

Netgate Pfsense Ce
Pfsense Pfsense
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T21:29:10.073Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69690

cve-icon Vulnrichment

Updated: 2026-05-08T19:24:35.772Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T07:16:28.750

Modified: 2026-05-12T13:45:34.787

Link: CVE-2025-69690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T16:11:30Z

Weaknesses