CVE-2025-13698 is a path traversal vulnerability categorized under CWE-22 found in Deciso OPNsense version 25.7, specifically within the diag_backup.php script responsible for handling backup configuration files. The root cause is the insufficient validation of user-supplied file path inputs before they are used in file operations, allowing an attacker to traverse directories and create arbitrary files outside the intended restricted directory. This vulnerability requires the attacker to be authenticated with high privileges, as it involves network-adjacent access and no user interaction is needed. Successful exploitation enables the attacker to create files with root-level privileges, potentially leading to unauthorized code execution or persistent backdoors, thus compromising system integrity. Although the CVSS score is 4.5 (medium), the impact on integrity is significant. No known exploits have been reported in the wild, but the vulnerability was assigned and published by ZDI (ZDI-CAN-28133). The vulnerability affects only version 25.7 of OPNsense, a widely used open-source firewall and routing platform. The lack of a patch link suggests that remediation may require manual mitigation or vendor updates. The vulnerability's exploitation vector is network-adjacent, meaning attackers need access to the network but not direct local access. This flaw highlights the importance of strict input validation and secure file handling in network security appliances.

For European organizations, especially those relying on OPNsense 25.7 for firewall and routing functions, this vulnerability poses a risk to system integrity by allowing authenticated attackers to create arbitrary files with root privileges. This could lead to unauthorized code execution, persistent malware implants, or configuration tampering, potentially disrupting network security controls. While confidentiality and availability are not directly impacted, the integrity compromise could facilitate further attacks or lateral movement within networks. Organizations in critical infrastructure, government, finance, and telecommunications sectors are particularly at risk due to the strategic importance of their network security appliances. The requirement for authentication limits the attack surface but does not eliminate risk, especially if credential compromise occurs. The absence of known exploits in the wild provides a window for proactive mitigation. However, failure to address this vulnerability could result in targeted attacks leveraging this flaw to undermine network defenses.

1. Immediately verify if your OPNsense deployment is running version 25.7 and assess exposure. 2. Restrict access to the diag_backup.php interface to trusted administrators only, ideally via VPN or secure management networks. 3. Implement strict input validation and sanitization on all user-supplied file paths within OPNsense configurations, if customization is possible. 4. Monitor file system changes on OPNsense devices for unexpected file creations, especially in directories outside the intended backup locations. 5. Employ file integrity monitoring tools to detect unauthorized modifications or additions. 6. Limit the privileges of authenticated users to the minimum necessary, reducing the risk of exploitation by compromised accounts. 7. Regularly audit and rotate administrative credentials to prevent unauthorized access. 8. Engage with Deciso for official patches or updates addressing this vulnerability and apply them promptly once available. 9. Consider network segmentation to isolate OPNsense management interfaces from general network traffic. 10. Document and rehearse incident response plans specific to firewall compromise scenarios.