CVE-2025-50989
Published: 27 August 2025
Summary
CVE-2025-50989 is a critical-severity OS Command Injection (CWE-78) vulnerability in Opnsense Opnsense. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the command injection by requiring input validation mechanisms at endpoints like interfaces_bridge_edit.php to sanitize the 'span' POST parameter.
Mandates timely remediation of the identified flaw through patching to OPNsense 25.1.8 or later, eliminating the vulnerability.
Limits the impact of successful RCE by enforcing least privilege on the web service process, preventing full root-level system compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection in the OPNsense web interface (interfaces_bridge_edit.php) via unsanitized 'span' parameter enables exploitation of remote services (T1210) for arbitrary Unix shell command execution (T1059.004) with root privileges.
NVD Description
OPNsense before 25.1.8 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces_bridge_edit.php). The span POST parameter is concatenated into a system-level command without proper sanitization or escaping, allowing an administrator to inject arbitrary shell operators and…
more
payloads. Successful exploitation results in remote code execution with the privileges of the web service (typically root), potentially leading to full system compromise or lateral movement. This vulnerability arises from inadequate input validation and improper handling of user-supplied data in backend command invocations.
Deeper analysisAI
CVE-2025-50989 is an authenticated command injection vulnerability affecting OPNsense firewall and routing platform versions prior to 25.1.8. The issue resides in the Bridge Interface Edit endpoint (interfaces_bridge_edit.php), where the "span" POST parameter is directly concatenated into a system-level command without proper sanitization or escaping. This flaw, linked to CWE-78 (OS Command Injection) and CWE-77 (Command Injection), enables attackers to inject arbitrary shell operators and payloads during backend command invocations. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting its critical severity due to high confidentiality, integrity, and availability impacts with changed scope.
Exploitation requires authenticated access with administrator privileges (PR:H), allowing a malicious admin to remotely trigger the vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful attacks result in remote code execution (RCE) under the privileges of the web service, which typically runs as root. This can lead to full system compromise, arbitrary command execution, or lateral movement within the environment.
Advisories recommend updating to OPNsense 25.1.8 or later, as detailed in the project's changelog. A proof-of-concept is available demonstrating the injection via the "span" parameter in the affected endpoint.
Details
- CWE(s)