CVE-2026-2035: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Deciso OPNsense
Deciso OPNsense diag_backup.php filename Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Deciso OPNsense. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of backup configuration files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28131.
AI Analysis
Technical Summary
CVE-2026-2035 is a remote code execution vulnerability classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) affecting Deciso OPNsense version 25.7. The vulnerability resides in the diag_backup.php script, which handles backup configuration files. Specifically, the flaw arises from insufficient validation of a user-supplied filename string that is subsequently used in a system call. Because the input is not properly sanitized, an authenticated attacker with network access can inject arbitrary OS commands. Successful exploitation results in execution of code with root privileges, allowing full control over the affected device. The attack vector requires authentication but does not require user interaction, increasing the risk in environments where credentials may be compromised or shared. The vulnerability was assigned CVSS v3.0 base score of 6.8, reflecting its medium severity due to the requirement for authentication and network adjacency. No public exploits or active exploitation have been reported yet, but the potential impact is significant given the root-level access gained. The vulnerability was identified and reserved by ZDI (ZDI-CAN-28131) and published on 2026-02-20.
Potential Impact
The vulnerability allows an authenticated attacker to execute arbitrary commands as root on OPNsense devices running version 25.7, potentially leading to full system compromise. This can result in unauthorized disclosure of sensitive configuration data, modification or deletion of firewall rules, disruption of network traffic, and persistent backdoors. Organizations relying on OPNsense for perimeter or internal network security could face severe operational disruptions, data breaches, and lateral movement opportunities for attackers. The requirement for authentication limits exposure but does not eliminate risk, especially in environments with weak credential management or insider threats. The root-level access amplifies the impact on confidentiality, integrity, and availability, making this a critical concern for network security administrators.
Mitigation Recommendations
1. Immediately upgrade OPNsense installations to a patched version once available from Deciso. 2. Until a patch is released, restrict access to the OPNsense management interface to trusted IP addresses and networks only. 3. Enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 4. Regularly audit user accounts and permissions to ensure only authorized personnel have access. 5. Monitor logs for unusual activity related to backup configuration file handling or unexpected system command executions. 6. Employ network segmentation to limit attacker movement if a device is compromised. 7. Consider disabling or restricting the diag_backup.php functionality if not required for operational needs. 8. Implement intrusion detection/prevention systems to detect anomalous commands or traffic patterns targeting OPNsense devices.
Affected Countries
United States, Germany, Netherlands, United Kingdom, Canada, Australia, France, Japan, South Korea, Brazil
CVE-2026-2035: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Deciso OPNsense
Description
Deciso OPNsense diag_backup.php filename Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Deciso OPNsense. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of backup configuration files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28131.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-2035 is a remote code execution vulnerability classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) affecting Deciso OPNsense version 25.7. The vulnerability resides in the diag_backup.php script, which handles backup configuration files. Specifically, the flaw arises from insufficient validation of a user-supplied filename string that is subsequently used in a system call. Because the input is not properly sanitized, an authenticated attacker with network access can inject arbitrary OS commands. Successful exploitation results in execution of code with root privileges, allowing full control over the affected device. The attack vector requires authentication but does not require user interaction, increasing the risk in environments where credentials may be compromised or shared. The vulnerability was assigned CVSS v3.0 base score of 6.8, reflecting its medium severity due to the requirement for authentication and network adjacency. No public exploits or active exploitation have been reported yet, but the potential impact is significant given the root-level access gained. The vulnerability was identified and reserved by ZDI (ZDI-CAN-28131) and published on 2026-02-20.
Potential Impact
The vulnerability allows an authenticated attacker to execute arbitrary commands as root on OPNsense devices running version 25.7, potentially leading to full system compromise. This can result in unauthorized disclosure of sensitive configuration data, modification or deletion of firewall rules, disruption of network traffic, and persistent backdoors. Organizations relying on OPNsense for perimeter or internal network security could face severe operational disruptions, data breaches, and lateral movement opportunities for attackers. The requirement for authentication limits exposure but does not eliminate risk, especially in environments with weak credential management or insider threats. The root-level access amplifies the impact on confidentiality, integrity, and availability, making this a critical concern for network security administrators.
Mitigation Recommendations
1. Immediately upgrade OPNsense installations to a patched version once available from Deciso. 2. Until a patch is released, restrict access to the OPNsense management interface to trusted IP addresses and networks only. 3. Enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. 4. Regularly audit user accounts and permissions to ensure only authorized personnel have access. 5. Monitor logs for unusual activity related to backup configuration file handling or unexpected system command executions. 6. Employ network segmentation to limit attacker movement if a device is compromised. 7. Consider disabling or restricting the diag_backup.php functionality if not required for operational needs. 8. Implement intrusion detection/prevention systems to detect anomalous commands or traffic patterns targeting OPNsense devices.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zdi
- Date Reserved
- 2026-02-06T01:11:13.876Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 6998e0efbe58cf853bd8652f
Added to database: 2/20/2026, 10:32:15 PM
Last enriched: 2/28/2026, 12:47:55 PM
Last updated: 4/7/2026, 8:29:33 AM
Views: 48
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.