CVE-2026-2035 is a vulnerability classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) affecting Deciso OPNsense version 25.7. The flaw resides in the diag_backup.php script responsible for handling backup configuration files. Specifically, the vulnerability arises because the application fails to properly validate or sanitize a user-supplied filename parameter before incorporating it into a system call. An authenticated attacker with network adjacency can exploit this weakness to inject arbitrary OS commands, which are executed with root privileges. This leads to remote code execution (RCE) on the affected device. The vulnerability requires authentication (high privileges) but no additional user interaction. The impact spans confidentiality, integrity, and availability, as arbitrary code execution at root level can lead to full system compromise, data theft, or disruption of network services. Although no public exploits have been reported yet, the severity and root-level access potential make this a critical concern for organizations relying on OPNsense for firewall and routing functions. The CVSS 3.0 vector (AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) reflects that the attack is network-adjacent, requires low attack complexity, high privileges, no user interaction, and impacts all three security properties severely. No patches or mitigations are currently linked, emphasizing the need for vendor response and user vigilance.

The vulnerability allows an authenticated attacker to execute arbitrary commands as root on OPNsense devices, potentially leading to complete system compromise. This can result in unauthorized access to sensitive network configurations, interception or manipulation of network traffic, disruption of firewall or routing services, and persistent backdoors for further attacks. Organizations relying on OPNsense for perimeter security or internal segmentation may face significant risks including data breaches, service outages, and lateral movement within networks. The root-level execution capability amplifies the impact, as attackers can disable security controls, exfiltrate data, or pivot to other systems. Given OPNsense's use in enterprise, government, and critical infrastructure environments, exploitation could have severe operational and reputational consequences. Although exploitation requires authentication, insider threats or compromised credentials increase the risk. The absence of known exploits in the wild currently limits immediate widespread impact but does not reduce the urgency of mitigation.

1. Immediately restrict access to OPNsense management interfaces to trusted administrators and secure networks only, minimizing exposure to network-adjacent attackers. 2. Enforce strong authentication mechanisms and regularly audit user accounts to prevent credential compromise. 3. Monitor logs for unusual activity related to backup configuration operations or unexpected command executions. 4. Apply vendor patches or updates as soon as they become available; if no patch exists, consider temporary workarounds such as disabling the vulnerable diag_backup.php functionality or restricting its access. 5. Implement network segmentation to isolate OPNsense devices from less trusted network segments. 6. Use application-layer firewalls or intrusion detection systems to detect and block suspicious command injection attempts targeting backup filename parameters. 7. Conduct regular security assessments and penetration tests focusing on administrative interfaces to identify similar injection flaws. 8. Educate administrators on the risks of command injection and the importance of input validation and least privilege principles.