CVE-2025-13698
📋 TL;DR
This vulnerability allows authenticated attackers on the same network to create arbitrary files on OPNsense systems. The flaw exists in the backup configuration file handling, where improper path validation enables directory traversal. Attackers can create files with root privileges, potentially leading to system compromise.
💻 Affected Systems
- Deciso OPNsense
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file creation leading to privilege escalation, persistence mechanisms, or service disruption.
Likely Case
Unauthorized file creation in sensitive directories, potentially enabling further exploitation or configuration manipulation.
If Mitigated
Limited impact due to authentication requirement and network adjacency constraints.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit cb15c935137d05c86a1e6cf12af877e9c32a23af
Vendor Advisory: https://github.com/opnsense/core/commit/cb15c935137d05c86a1e6cf12af877e9c32a23af
Restart Required: No
Instructions:
1. Update OPNsense to latest version. 2. Apply security patches via System → Firmware → Updates. 3. Verify the fix is applied by checking the commit hash.
🔧 Temporary Workarounds
Restrict network access
allLimit access to OPNsense management interface to trusted networks only.
Configure firewall rules to restrict access to OPNsense web interface
Disable unnecessary backup features
allTemporarily disable backup functionality if not required.
Navigate to System → Configuration → Backups and disable automated backups
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OPNsense management interface
- Enforce strong authentication policies and monitor for suspicious backup-related activities
🔍 How to Verify
Check if Vulnerable:
Check if OPNsense version is prior to commit cb15c935137d05c86a1e6cf12af877e9c32a23afCheck Version:
opnsense-versionVerify Fix Applied:
Verify the commit hash is present in your installation: grep -r 'cb15c935137d05c86a1e6cf12af877e9c32a23af' /usr/local/opnsense/📡 Detection & Monitoring
Log Indicators:
- Unusual backup file creation patterns
- Access to diag_backup.php with suspicious filename parameters
Network Indicators:
- HTTP requests to /diag_backup.php with path traversal sequences
SIEM Query:
source="opnsense" AND uri="/diag_backup.php" AND (filename CONTAINS "../" OR filename CONTAINS "..\")