Description
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.
Published: 2026-05-08
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the XMLRPC API enables execution of arbitrary PHP code through the pfsense.exec_php method. The function does not perform proper sanitization or restriction of the code that can be supplied, allowing an attacker with the ability to invoke the API to run any PHP script. This can lead to full compromise of the affected system, including disclosure of sensitive configuration data, modification of network rules, and availability disruption by terminating services.

Affected Systems

The vulnerability is reported against Netgate pfSense CE 2.8.0. Only administrative users are allowed to call the vulnerable method, so the attack surface is limited to accounts with admin privileges or to users who can obtain such credentials.

Risk and Exploitability

Because the flaw permits code execution, the risk is high, with a CVSS score of 9.9. The EPSS score of < 1% and absence from the KEV catalog suggest that it has not been widely exploited yet, but a single successful exploit can lead to a full compromise. No public remediation is yet available; the supplier disputes the severity by noting the API is intentionally for administrators. Nonetheless, the inherent nature of code execution remains a critical threat.

Generated by OpenCVE AI on May 8, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict access to the XMLRPC API by limiting admin credentials to a secure management subnet or by disabling the XMLRPC service entirely if not required.
  • Configure firewall rules to block external traffic from reaching the pfSense API endpoints or from the pfsense.exec_php method.
  • Apply any available firmware upgrade from Netgate that addresses the execution control or, if none exists, isolate the pfSense box from untrusted networks and enforce strict administrative access controls.

Generated by OpenCVE AI on May 8, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pfsense:pfsense:2.8.0:*:*:*:community:*:*:*

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-915
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title XMLRPC API Code Execution in Netgate pfSense CE 2.8.0
First Time appeared Pfsense
Pfsense pfsense
Weaknesses CWE-94
Vendors & Products Pfsense
Pfsense pfsense

Fri, 08 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.
References

Subscriptions

Pfsense Pfsense
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T21:29:04.070Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69691

cve-icon Vulnrichment

Updated: 2026-05-08T19:23:32.851Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T07:16:28.880

Modified: 2026-05-12T20:39:48.423

Link: CVE-2025-69691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:45:20Z

Weaknesses