Netgate pfSense XMLRPC API Allows Admin Code Execution

CVE-2025-69691 affects Netgate pfSense CE 2.8.0 and exposes a critical vulnerability in the XMLRPC API endpoint through the pfsense.exec_php function, which permits arbitrary PHP code execution with a CVSS score of 9.9. While Netgate disputes the severity claim by noting that API access is restricted to administrative users who have intentional PHP execution capabilities, the vulnerability remains significant because administrative credentials can be compromised through phishing, credential theft, or lateral movement attacks—transforming a "by design" feature into an active exploitation vector. Organizations running pfSense instances are affected if they expose the XMLRPC API to untrusted networks or maintain weak administrative access controls, making this a critical concern for network infrastructure security.

Casky's threat detection capabilities excel in this scenario by mapping administrative privilege abuse and API misuse patterns across the security skills library. Although this CVE itself maps to zero specific MITRE ATT&CK techniques in standard catalogs, practitioners using Casky would identify attack patterns associated with CWE-284 (Improper Access Control) and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes) through behavioral analysis. Practitioners would detect suspicious XMLRPC API calls, unusual PHP execution requests from administrative accounts, and anomalous network traffic patterns targeting the management interface. Extended reasoning across Casky's 754 skills would surface related attack chains including Execution (T1059—Command and Scripting Interpreter), Persistence (T1098—Account Manipulation), and Lateral Movement patterns, enabling defenders to correlate compromise indicators and prioritize remediation of exposed pfSense instances before attackers exploit administrative access pathways.