CVE-2025-13698 is a path traversal vulnerability identified in Deciso OPNsense version 25.7, specifically within the diag_backup.php script responsible for handling backup configuration files. The vulnerability arises from insufficient validation of user-supplied file paths, allowing an authenticated attacker with network access and high privileges to manipulate the pathname used in file operations. This flaw enables the attacker to create arbitrary files anywhere on the filesystem, including locations requiring root privileges. The exploitation does not require user interaction but does require authentication with elevated privileges, limiting the attack surface to authorized users or compromised credentials. The vulnerability is categorized under CWE-22, indicating improper limitation of pathname to a restricted directory. Although no public exploits have been reported, the ability to create arbitrary files as root can lead to severe consequences such as privilege escalation, persistence, or disruption of system integrity. The vulnerability was reserved on November 25, 2025, and published on December 23, 2025, with a CVSS v3.0 base score of 4.5 (medium severity), reflecting the requirement for authentication and the lack of impact on confidentiality or availability. The flaw is significant in environments where OPNsense is deployed as a firewall or gateway, as attackers could leverage this to implant malicious files or scripts.

For European organizations, this vulnerability poses a risk primarily to the integrity of network security appliances running OPNsense 25.7. Successful exploitation could allow attackers to create or modify files with root privileges, potentially leading to privilege escalation, unauthorized configuration changes, or persistent backdoors within critical network infrastructure. This could disrupt secure network operations, compromise sensitive data indirectly, or facilitate further lateral movement within the network. Organizations in sectors such as government, finance, telecommunications, and critical infrastructure that rely on OPNsense for firewalling and VPN services are particularly at risk. The requirement for authentication reduces the likelihood of remote exploitation by external attackers but increases the threat from insider attacks or compromised credentials. The absence of known exploits in the wild currently lowers immediate risk, but the potential impact on system integrity warrants prompt attention.

To mitigate this vulnerability, European organizations should: 1) Immediately restrict access to the diag_backup.php functionality to only trusted administrators and limit network exposure of the OPNsense management interface. 2) Enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 3) Monitor logs and file system changes for unusual file creation activities, especially in directories where arbitrary files should not be created. 4) Apply strict input validation on any user-supplied paths in custom or integrated scripts to prevent path traversal. 5) If possible, upgrade to a patched version of OPNsense once available or apply vendor-provided workarounds. 6) Conduct regular audits of firewall configurations and backup files to detect unauthorized modifications. 7) Segment management interfaces from general network access to reduce attack surface. 8) Educate administrators about the risks of this vulnerability and the importance of credential security.