CVE-2025-50989
Published: 27 August 2025
Summary
CVE-2025-50989 is a critical-severity OS Command Injection (CWE-78) vulnerability in Opnsense Opnsense. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 18.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
OPNsense before version 25.1.8 contains an authenticated command injection vulnerability in the Bridge Interface Edit endpoint at interfaces_bridge_edit.php. The span POST parameter is directly concatenated into a system command without sanitization or escaping, enabling an administrator to supply arbitrary shell operators and payloads. The flaw is tracked under CWE-78 and CWE-77 and carries a CVSS 3.1 score of 9.1.
An authenticated administrator can exploit the issue over the network to achieve remote code execution with the privileges of the web service, typically root. Successful exploitation can result in full system compromise or facilitate lateral movement within the environment.
The official OPNsense changelog for release 25.1.8 addresses the vulnerability through improved input handling in the affected endpoint. Public proof-of-concept material confirms the injection vector via the span parameter and demonstrates unauthenticated command execution after authentication.
The associated EPSS score remains flat at 0.0149 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25898
Vulnerability details
OPNsense before 25.1.8 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces_bridge_edit.php). The span POST parameter is concatenated into a system-level command without proper sanitization or escaping, allowing an administrator to inject arbitrary shell operators and…
more
payloads. Successful exploitation results in remote code execution with the privileges of the web service (typically root), potentially leading to full system compromise or lateral movement. This vulnerability arises from inadequate input validation and improper handling of user-supplied data in backend command invocations.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection in the OPNsense web interface (interfaces_bridge_edit.php) via unsanitized 'span' parameter enables exploitation of remote services (T1210) for arbitrary Unix shell command execution (T1059.004) with root privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the command injection by requiring input validation mechanisms at endpoints like interfaces_bridge_edit.php to sanitize the 'span' POST parameter.
Mandates timely remediation of the identified flaw through patching to OPNsense 25.1.8 or later, eliminating the vulnerability.
Limits the impact of successful RCE by enforcing least privilege on the web service process, preventing full root-level system compromise.