Chasing the OPNsense RCE: The Story Behind My First CVEs
a day ago
- #Remote Code Execution
- #OPNsense Security
- #CVE-2026-57155
- A security researcher conducted a week-long audit of the OPNsense firewall, resulting in the discovery of five vulnerabilities, including a critical Remote Code Execution flaw (CVE-2026-57155) with a CVSS score of 9.9.
- The RCE exploit chain involved an arbitrary file write in the GeoIP alias importer, which allowed a low-privileged user with 'Firewall: Alias: Edit' access to write malicious files and achieve root-level code execution via the newsyslog utility.
- Other vulnerabilities included an XPath injection in the MVC safe-delete function and three stored XSS issues in various components, all stemming from improper input validation and escaping.
- The researcher used manual taint analysis with ripgrep, dynamic proxying with Burp Suite, and fuzzing with XSS polyglot payloads to identify the vulnerabilities.
- All disclosed vulnerabilities were promptly patched by the OPNsense team in version 26.1.11, with positive collaboration during the responsible disclosure process.