Nov. 6, 2025 | Categories: Vulnerabilities
A critical security vulnerability has been discovered in pfSense that affects installations with captive portal enabled. This vulnerability requires NO AUTHENTICATION to exploit. We are working with the pfSense security team to develop and release a patch.
Critical Security Advisory: pfSense Captive Portal Vulnerability
November 6, 2025 Security Advisory CRITICAL
⚠️
Critical Vulnerability Under Responsible Disclosure
A critical security vulnerability has been discovered in pfSense that affects installations with captive portal enabled. This vulnerability requires NO AUTHENTICATION to exploit. We are working with the pfSense security team to develop and release a patch.
*…
Nov. 6, 2025 | Categories: Vulnerabilities
A critical security vulnerability has been discovered in pfSense that affects installations with captive portal enabled. This vulnerability requires NO AUTHENTICATION to exploit. We are working with the pfSense security team to develop and release a patch.
Critical Security Advisory: pfSense Captive Portal Vulnerability
November 6, 2025 Security Advisory CRITICAL
⚠️
Critical Vulnerability Under Responsible Disclosure
A critical security vulnerability has been discovered in pfSense that affects installations with captive portal enabled. This vulnerability requires NO AUTHENTICATION to exploit. We are working with the pfSense security team to develop and release a patch.
If you use pfSense captive portal, please read this advisory immediately and implement mitigations.
Executive Summary
During a comprehensive security audit of the pfSense firewall platform, our team discovered a critical vulnerability in the captive portal component. This vulnerability could allow malicious actors to compromise systems without any authentication credentials.
Advisory Details
| Advisory ID | CVE | Severity | Authentication Required | Attack Vector | Affected Component | Discovery Date | Disclosure Status |
|---|---|---|---|---|---|---|---|
| VULN-U1 | |||||||
| Pending Assignment | |||||||
| CRITICAL | |||||||
| No | |||||||
| Network (Remote) | |||||||
| Captive Portal | |||||||
| November 6, 2025 | |||||||
| Vendor Notified - Patch Pending |
Who is Affected?
This vulnerability affects pfSense installations that have captive portal enabled. Captive portal is commonly used in:
☕
Public WiFi Hotspots
Coffee shops, restaurants, retail stores
🏢
Corporate Guest Networks
Visitor WiFi, contractor access
✈️
Transportation Hubs
Airports, train stations, bus terminals
🏨
Hospitality
Hotels, conference centers, resorts
🏫
Educational Institutions
Universities, schools, libraries
🏥
Healthcare Facilities
Hospitals, clinics (guest networks)
How to Check if You’re Affected
- Log into your pfSense web interface
- Navigate to Services → Captive Portal
- If you have any captive portal zones configured and enabled, you are potentially affected
If captive portal is disabled or not configured, this vulnerability does not affect your installation.
What Could Happen?
While we cannot disclose specific technical details before a patch is released, this vulnerability could potentially allow an attacker to:
🚨
Bypass Authentication
Gain unauthorized access to network resources without valid credentials
🔓
Access Sensitive Information
Potentially view or extract data from the captive portal system
👥
Compromise User Privacy
Access information about other users connected to the network
Why This is Critical
- No Authentication Required: An attacker does not need any credentials or special access
- Remote Exploitation: Can be exploited from any device connected to the captive portal network
- Low Complexity: Does not require advanced technical skills to exploit
- Wide Deployment: Captive portal is commonly used in public-facing networks
📅 Responsible Disclosure Timeline
November 6, 2025
Vulnerability discovered during security audit
✓ Complete
In Progress
Vendor notification and coordination
⏳ Ongoing
Pending
Security patch development and testing
⌛ Awaiting
Pending
Patch release and user notification
⌛ Awaiting
After Patch
Full technical disclosure (90 days or after patch release)
⌛ Scheduled
Note: We are following responsible disclosure practices. Full technical details will only be released after a patch is available or after 90 days, whichever comes first.
🛡️ Immediate Protection Measures
🔴 Critical Priority (Do Immediately)
1
Temporarily Disable Captive Portal (If Possible)
The most effective mitigation is to temporarily disable captive portal until a patch is released:
- Log into pfSense web interface
- Navigate to Services → Captive Portal
- Disable each captive portal zone
- Apply changes
Note: Only do this if your business operations permit. We understand this may not be feasible for all environments.
🟠 High Priority (If Captive Portal Must Remain Active)
2
Implement Network Segmentation
Ensure captive portal networks are completely isolated from:
- Internal corporate networks
- Sensitive data systems
- Critical infrastructure
- Administrative interfaces
3
Enable Enhanced Logging and Monitoring
Increase logging verbosity for captive portal to detect potential exploitation attempts:
- Enable captive portal logging (Status → System Logs → Settings)
- Configure remote syslog server if available
- Monitor logs for unusual activity patterns
- Set up alerts for anomalous behavior
4
Restrict Network Access
Limit what captive portal users can access:
- Implement strict firewall rules
- Use bandwidth limitations
- Restrict access to sensitive ports/protocols
- Consider implementing additional authentication layers (RADIUS, LDAP)
⚠️ What NOT to Do
- Do not expose pfSense management interface to untrusted networks
- Do not assume firewall rules alone will protect against this vulnerability
- Do not ignore this advisory if you have captive portal disabled (verify it’s actually disabled)
- Do not wait for exploitation before implementing mitigations
Conclusion
We take security seriously and believe in responsible disclosure to protect the community. While this vulnerability is serious, the risk can be significantly reduced by implementing the mitigations outlined in this advisory.
Our commitment:
- We are working closely with the pfSense team to ensure a comprehensive fix
- We will provide timely updates as the situation develops
- Full technical details will be published only after a patch is available
- We will support the community in understanding and addressing this issue
If you operate pfSense with captive portal enabled, please review and implement the recommended mitigations immediately.
⚖️ Important Notes
This advisory is provided for defensive purposes only. The goal is to help administrators protect their systems while a patch is being developed. Any attempt to exploit this vulnerability on systems you do not own or have explicit authorization to test is illegal and unethical.
Accuracy: While we have made every effort to ensure the accuracy of this advisory, information may change as the vendor investigates and develops a patch. Always refer to official pfSense security announcements for authoritative information.
Liability: This advisory is provided “as is” without warranty of any kind. The authors assume no liability for actions taken based on this information.