CVE-2025-34182 is a stored cross-site scripting (XSS) vulnerability affecting Deciso's OPNsense firewall software versions prior to 25.7.4. The vulnerability arises from improper sanitization of the 'ptpid' parameter when creating an "Interfaces: Devices: Point-to-Point" entry. Specifically, HTML-related characters and strings in the 'ptpid' parameter are not properly escaped before being rendered on the page /interfaces_assign.php. This allows an authenticated attacker with at least "Interfaces: PPPs: Edit" permission to inject malicious scripts that are stored and executed in the context of the victim's browser when visiting the affected page. The root cause is that the legacy function ui: legacy_html_escape_form_data() was escaping only data elements but not keys, allowing injection through keys such as 'ptpid'. The vulnerability has been addressed in OPNsense version 25.7.4 by correcting the escaping mechanism. The CVSS 4.0 base score is 5.1 (medium severity), reflecting that the attack vector is network-based, requires low privileges but no user interaction, and results in low confidentiality impact with no integrity or availability impact. No known exploits are reported in the wild as of now. This vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security issue that can lead to session hijacking, credential theft, or unauthorized actions if exploited successfully. Since the attacker must be authenticated with specific permissions, the threat is limited to insiders or compromised accounts with PPP editing rights.

For European organizations using OPNsense as their firewall or network security appliance, this vulnerability poses a moderate risk. Successful exploitation could allow an attacker with authenticated access to execute arbitrary JavaScript in the context of the OPNsense web interface. This could lead to session hijacking, theft of administrative credentials, or unauthorized configuration changes if combined with other vulnerabilities or social engineering. Given that OPNsense is popular among small to medium enterprises and public sector organizations in Europe for its open-source and flexible firewall capabilities, exploitation could compromise network perimeter defenses. However, the requirement for authenticated access with specific permissions limits the attack surface primarily to internal users or attackers who have already gained some foothold. The vulnerability does not directly impact confidentiality, integrity, or availability of the firewall system itself but could facilitate further attacks or privilege escalation. Organizations in sectors with strict regulatory requirements for network security, such as finance, healthcare, and critical infrastructure, should consider this vulnerability significant enough to warrant prompt remediation to avoid potential lateral movement or insider threats.

1. Upgrade OPNsense installations to version 25.7.4 or later, where the vulnerability has been fixed by proper escaping of the 'ptpid' parameter. 2. Restrict and audit user permissions to ensure only trusted administrators have "Interfaces: PPPs: Edit" rights, minimizing the number of accounts that could exploit this vulnerability. 3. Implement strong authentication mechanisms such as multi-factor authentication (MFA) for accessing the OPNsense web interface to reduce the risk of compromised credentials. 4. Monitor web interface logs and user activities for unusual behavior or unauthorized changes related to point-to-point interface configurations. 5. Consider network segmentation and access controls to limit administrative interface access to trusted networks or VPNs. 6. Educate administrators about the risks of XSS and the importance of validating input even in internal management interfaces. 7. If upgrading immediately is not feasible, apply temporary compensating controls such as disabling or restricting access to the affected interface pages or limiting the ability to create or edit point-to-point devices.