CVE-2019-25371 – CVE-2019-25371 is a reflected cross-site script... (How to Fix)

Q: What is the severity of CVE-2019-25371?

CVE-2019-25371 has a CVSS score of 6.1 (MEDIUM). CVE-2019-25371 is a reflected cross-site scripting vulnerability in OPNsense 19.1 that allows unauthenticated attackers to inject malicious JavaScript via the host parameter in diag_ping.php. This enables attackers to execute arbitrary scripts in users' browsers, potentially stealing session cookies or performing actions on behalf of authenticated users. All OPNsense 19.1 installations with the web interface exposed are affected.

📋 TL;DR

CVE-2019-25371 is a reflected cross-site scripting vulnerability in OPNsense 19.1 that allows unauthenticated attackers to inject malicious JavaScript via the host parameter in diag_ping.php. This enables attackers to execute arbitrary scripts in users' browsers, potentially stealing session cookies or performing actions on behalf of authenticated users. All OPNsense 19.1 installations with the web interface exposed are affected.

💻 Affected Systems

Products:

OPNsense

Versions: 19.1

Operating Systems: FreeBSD-based

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with web interface accessible; console/SSH access unaffected.

📦 What is this software?

Opnsense by Opnsense

View all CVEs affecting Opnsense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of the firewall, and pivot to internal networks.

🟠

Likely Case

Attackers steal user session cookies, perform actions as authenticated users, or redirect to phishing sites.

🟢

If Mitigated

With proper input validation and output encoding, no impact occurs as malicious scripts are neutralized.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires user interaction (clicking malicious link) but is trivial to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.1.1 and later

Vendor Advisory: https://forum.opnsense.org/index.php?topic=11469.0

Restart Required: No

Instructions:

1. Update OPNsense via System > Firmware > Updates. 2. Apply available patches. 3. Verify version is 19.1.1 or newer.

🔧 Temporary Workarounds

Input Validation Rule

all

Add input validation to block script tags in host parameter

Not applicable via command line; requires code modification

Web Application Firewall

all

Deploy WAF to block XSS payloads in POST requests

Depends on WAF solution

🧯 If You Can't Patch

Restrict access to OPNsense web interface to trusted IPs only
Implement Content Security Policy headers to block inline scripts

🔍 How to Verify

Check if Vulnerable:

Test by submitting POST to /diag_ping.php with host parameter containing <script>alert('XSS')</script>

Check Version:

opnsense-version

Verify Fix Applied:

After update, same test should show sanitized output without script execution

📡 Detection & Monitoring

Log Indicators:

POST requests to diag_ping.php with script tags in parameters
Unusual JavaScript execution in web interface logs

Network Indicators:

HTTP POST to diag_ping.php with encoded script payloads

SIEM Query:

http.method:POST AND http.uri:"/diag_ping.php" AND http.param.host:*script*

📊 Metadata

CVE ID: CVE-2019-25371

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 15, 2026

Last Updated: February 18, 2026

🔗 References

https://forum.opnsense.org/index.php?topic=11469.0 Release Notes
https://opnsense.org Product
https://www.exploit-db.com/exploits/46351 Exploit,Third Party Advisory,VDB Entry
https://www.vulncheck.com/advisories/opnsense-reflected-xss-via-diagpingphp Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25371, you might also want to check these: