CVE-2026-2035
📋 TL;DR
This vulnerability allows authenticated attackers on the same network to execute arbitrary commands as root on Deciso OPNsense firewalls. The flaw exists in the backup configuration file handling where user input isn't properly sanitized before being used in system calls. Only OPNsense installations with authenticated attacker access are affected.
💻 Affected Systems
- Deciso OPNsense
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise of the firewall, allowing attacker to pivot to internal networks, intercept traffic, disable security controls, or install persistent backdoors.
Likely Case
Authenticated attacker gains root shell access to the firewall, potentially modifying firewall rules, stealing credentials, or using the device as a foothold for lateral movement.
If Mitigated
Attack fails due to proper network segmentation, strong authentication controls, and timely patching.
🎯 Exploit Status
Command injection vulnerabilities are typically easy to exploit once the injection point is identified. Authentication requirement adds a barrier but doesn't significantly increase complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version containing commit cb15c935137d05c86a1e6cf12af877e9c32a23af
Vendor Advisory: https://github.com/opnsense/core/commit/cb15c935137d05c86a1e6cf12af877e9c32a23af
Restart Required: No
Instructions:
1. Update OPNsense to latest version via System > Firmware > Updates. 2. Apply all available patches. 3. Verify the fix by checking if commit cb15c935 is present.
🔧 Temporary Workarounds
Restrict Management Interface Access
allLimit access to OPNsense management interface to trusted IP addresses only
Configure firewall rules to restrict access to OPNsense web interface (typically port 443)
Disable Unnecessary Backup Features
linuxIf backup functionality via diag_backup.php is not required, restrict or disable it
Modify web server configuration to block access to /diag_backup.php
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OPNsense management interface from untrusted networks
- Enforce strong authentication policies including MFA and regular credential rotation
🔍 How to Verify
Check if Vulnerable:
Check OPNsense version and verify if commit cb15c935137d05c86a1e6cf12af877e9c32a23af is present in the codebaseCheck Version:
opnsense-versionVerify Fix Applied:
Verify the patch is applied by checking the diag_backup.php file for proper input sanitization or confirming the commit exists📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in system logs
- Suspicious backup operations from non-admin users
- Unexpected shell commands in web server logs
Network Indicators:
- Unusual outbound connections from OPNsense device
- Traffic patterns suggesting lateral movement from firewall
SIEM Query:
source="opnsense" AND ("diag_backup" OR "backup.php") AND (cmd=* OR exec=* OR system=*)