CVE-2025-34182 is a stored cross-site scripting (XSS) vulnerability identified in Deciso's OPNsense firewall software prior to version 25.7.4. The vulnerability arises from improper neutralization of input during web page generation, specifically in the handling of the 'ptpid' parameter when creating 'Interfaces: Devices: Point-to-Point' entries. The parameter value is not sanitized for HTML-related characters or strings, allowing malicious scripts to be stored and later executed when an authenticated user visits the page/interfaces_assign.php page. Exploitation requires the attacker to have authenticated access with at least 'Interfaces: PPPs: Edit' permissions, which limits the attack surface to authorized users. The root cause was the failure of the legacy_html_escape_form_data() function to escape keys, only escaping data elements, leading to unsafe rendering of user-supplied input. The vendor addressed this by updating the escaping mechanism in the affected UI components. The vulnerability has a CVSS 4.0 score of 5.1, indicating medium severity due to network attack vector, low complexity, no privileges required beyond the stated permission, and partial impact on confidentiality via client-side script execution. No public exploits have been reported to date. This vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

The primary impact of CVE-2025-34182 is the potential for stored XSS attacks within the OPNsense web interface. Successful exploitation could allow an attacker with limited authenticated access to execute arbitrary JavaScript in the context of other users' browsers who access the affected page. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed on behalf of legitimate users, or defacement of the management interface. While the requirement for authenticated access with specific permissions reduces the risk of external attackers exploiting this vulnerability directly, insider threats or compromised accounts could leverage this flaw to escalate privileges or disrupt firewall management. Given OPNsense's role as a network security appliance, compromise of its management interface could have cascading effects on network security posture and monitoring. However, the vulnerability does not directly affect the firewall's packet filtering or routing functions, limiting its impact to the management plane. Organizations relying on OPNsense for perimeter or internal network security could face increased risk of administrative interface compromise if this vulnerability is not remediated.

To mitigate CVE-2025-34182, organizations should upgrade OPNsense to version 25.7.4 or later, where the vendor has fixed the improper escaping of form data keys. Until the upgrade can be applied, administrators should restrict access to the OPNsense web interface to trusted users only and enforce the principle of least privilege, ensuring only necessary users have 'Interfaces: PPPs: Edit' permissions. Implement strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of account compromise. Additionally, monitor web interface logs for unusual activity that could indicate attempted exploitation. Network segmentation can limit access to the management interface from untrusted networks. Security teams should also educate users with access about the risks of XSS and encourage cautious behavior when interacting with the interface. Finally, consider deploying web application firewalls (WAFs) or intrusion detection systems (IDS) capable of detecting and blocking XSS payloads targeting the management interface.