Hasty Briefsbeta

Bilingual

Chasing the OPNsense RCE: The Story Behind My First CVEs

a day ago
  • #Remote Code Execution
  • #OPNsense Security
  • #CVE-2026-57155
  • A security researcher conducted a week-long audit of the OPNsense firewall, resulting in the discovery of five vulnerabilities, including a critical Remote Code Execution flaw (CVE-2026-57155) with a CVSS score of 9.9.
  • The RCE exploit chain involved an arbitrary file write in the GeoIP alias importer, which allowed a low-privileged user with 'Firewall: Alias: Edit' access to write malicious files and achieve root-level code execution via the newsyslog utility.
  • Other vulnerabilities included an XPath injection in the MVC safe-delete function and three stored XSS issues in various components, all stemming from improper input validation and escaping.
  • The researcher used manual taint analysis with ripgrep, dynamic proxying with Burp Suite, and fuzzing with XSS polyglot payloads to identify the vulnerabilities.
  • All disclosed vulnerabilities were promptly patched by the OPNsense team in version 26.1.11, with positive collaboration during the responsible disclosure process.