Chasing the OPNsense RCE: The Story Behind My First CVEs (CVE-2026-57155) | HackerAsk<br>Post<br>Cancel<br>Chasing the OPNsense RCE: The Story Behind My First CVEs (CVE-2026-57155)<br>Contents Chasing the OPNsense RCE: The Story Behind My First CVEs (CVE-2026-57155)
I think every security researcher remembers their first CVE. For me, that milestone did not arrive as a single, low-impact bug. Instead, during one of my designated security research weeks at Hacking Cult, my deep dive into OPNsense yielded five accepted vulnerabilities. This milestone was capped off by a critical Remote Code Execution flaw with a 9.9 CVSS rating (CVE-2026-57155).<br>As a popular open-source FreeBSD-based firewall and routing platform, OPNsense sits at the edge of enterprise and home networks. The claim of OPNsense is to make digital security accessible to everyone by providing all the features of expensive commercial firewalls and more for free.<br>As penetration testers at our company, we regularly have the opportunity to spend time on security research and professional development. Because we rely heavily on open-source software, we decided to use this time to conduct penetration tests to help improve the ecosystem. In a community poll, OPNsense was suggested as a target, a perfect fit!<br>Over the course of five days, I was able to identify eight vulnerabilities. In the interest of responsible disclosure, this write-up will focus exclusively on the five that have already been patched. Of the remaining three, one was identified as a duplicate, while the other two are still under active review by the maintainers at the time of writing.<br>FindingCVE/GHSASeverityRCE via Arbitrary File Write in GeoIP Alias ImporterCVE-2026-57155<br>GHSA-wjqq-rfmm-v5h3Critical (9.9)XPath injection in MVC safe-deleteCVE-2026-58395<br>GHSA-98h6-479q-9q3wMedium (4.3)Stored XSS in Services: NTP GPSCVE-2026-58392<br>GHSA-h793-67jm-j4m5Medium (5.4)Stored XSS via certificate descriptionCVE-2026-58394<br>GHSA-8pgr-x852-qx4jMedium (5.2)Stored XSS in Firewall Rules/NAT gridsCVE-2026-58391<br>GHSA-2xrm-p255-p43hMedium (5.4)<br>Thanks to the rapid and professional response of the OPNsense team, all five disclosed vulnerabilities have been successfully remediated.<br>In this post, I will walk you through the background story of this research week, briefly outline the four moderate bugs and finally, provide a deep-dive technical analysis of how I discovered and chained together CVE-2026-57155 to achieve full RCE.<br>A Week in the Code<br>The research kicked off with setting up an OPNsense instance on a virtual machine. I downloaded the source code of the OPNsense core and began diving straight in. My primary goal was to map out the applications attack surface, tracing the routing logic and the Phalcon-based Model-View-Controller (MVC) framework that powers the web interface.<br>To achieve this, a major cornerstone of my methodology was manual taint analysis. I extensively utilized ripgrep with custom regular expressions to hunt for potential sinks across the massive PHP codebase. By grepping for dangerous functions, such as file system operations, shell executions and unsanitized output, I could manually trace the execution flow backward to see if user-supplied input ever reached those sinks without proper validation.<br>Tracing sinks in OPNsense presented a challenge because of the Phalcon framework. Much of the routing and parameter binding is handled dynamically under the hood, meaning a simple grep does not always tell the whole story. I often had to cross-reference my ripgrep findings with the actual XML configuration files that map the frontend controllers to the backend API endpoints.<br>In addition, I used Burp Suite for dynamic proxying to intercept and analyze the API calls between the frontend and the Phalcon backend. I also aggressively fuzzed various input fields, such as certificate descriptions, alias names and grid parameters, with XSS polyglot payloads. Polyglots are incredibly efficient for this type of black-box testing because a single payload is crafted to break out of multiple contexts simultaneously (e.g. escaping an HTML attribute, a JavaScript string and standard HTML tags all at once).<br>Four Moderate Vulnerabilities<br>Before telling you more details about the critical RCE I found, a few words about the other moderate vulnerabilities I discovered in my OPNsense audit. None of them allow you to get a root shell on their own, but each one tells you something about how the same class of mistake (trusting input without sanitization) shows up in different corners of the same codebase.<br>XPath Injection in MVC Safe-Delete<br>All “delete” buttons in the MVC-based modules of OPNsense eventually call the same generic safe-delete routine, which is shared by dozens of endpoints. So when I found that the delete token from the URL gets dropped straight into an XPath query with plain string interpolation, it did not affect one endpoint. It affected twenty-one !<br>A payload as simple as ')or(' turns:
$xpath =...