Cyber Resilience

CVE-2025-50989

CriticalPublic PoCRCE

Published: 27 August 2025

Published
27 August 2025
Modified
26 September 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0149 81.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50989 is a critical-severity OS Command Injection (CWE-78) vulnerability in Opnsense Opnsense. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 18.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

OPNsense before version 25.1.8 contains an authenticated command injection vulnerability in the Bridge Interface Edit endpoint at interfaces_bridge_edit.php. The span POST parameter is directly concatenated into a system command without sanitization or escaping, enabling an administrator to supply arbitrary shell operators and payloads. The flaw is tracked under CWE-78 and CWE-77 and carries a CVSS 3.1 score of 9.1.

An authenticated administrator can exploit the issue over the network to achieve remote code execution with the privileges of the web service, typically root. Successful exploitation can result in full system compromise or facilitate lateral movement within the environment.

The official OPNsense changelog for release 25.1.8 addresses the vulnerability through improved input handling in the affected endpoint. Public proof-of-concept material confirms the injection vector via the span parameter and demonstrates unauthenticated command execution after authentication.

The associated EPSS score remains flat at 0.0149 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

OPNsense before 25.1.8 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces_bridge_edit.php). The span POST parameter is concatenated into a system-level command without proper sanitization or escaping, allowing an administrator to inject arbitrary shell operators and…

more

payloads. Successful exploitation results in remote code execution with the privileges of the web service (typically root), potentially leading to full system compromise or lateral movement. This vulnerability arises from inadequate input validation and improper handling of user-supplied data in backend command invocations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Authenticated command injection in the OPNsense web interface (interfaces_bridge_edit.php) via unsanitized 'span' parameter enables exploitation of remote services (T1210) for arbitrary Unix shell command execution (T1059.004) with root privileges.

CVEs Like This One

CVE-2026-44194Same product: Opnsense Opnsense
CVE-2026-45158Same product: Opnsense Opnsense
CVE-2026-44193Same product: Opnsense Opnsense
CVE-2026-34578Same product: Opnsense Opnsense
CVE-2026-30868Same product: Opnsense Opnsense
CVE-2026-4558Shared CWE-77, CWE-78
CVE-2026-26068Shared CWE-77, CWE-78
CVE-2026-3485Shared CWE-77, CWE-78
CVE-2025-0798Shared CWE-77, CWE-78
CVE-2025-61045Shared CWE-77, CWE-78

Affected Assets

opnsense
opnsense
≤ 25.1.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the command injection by requiring input validation mechanisms at endpoints like interfaces_bridge_edit.php to sanitize the 'span' POST parameter.

prevent

Mandates timely remediation of the identified flaw through patching to OPNsense 25.1.8 or later, eliminating the vulnerability.

prevent

Limits the impact of successful RCE by enforcing least privilege on the web service process, preventing full root-level system compromise.

References