CVE-2026-45158: Command Injection in OPNsense Firewall
Plattform
linux
Komponente
opnsense
Behoben in
26.1.8
CVE-2026-45158 is a critical Command Injection vulnerability affecting OPNsense Firewall versions 26.1.0 through 26.1.7. This flaw allows an attacker to inject malicious commands into the DHCP configuration, leading to remote code execution as root on the underlying FreeBSD operating system. The vulnerability is resolved in version 26.1.8, and immediate patching is strongly recommended.
Auswirkungen und Angriffsszenarien
The impact of this vulnerability is severe. Successful exploitation allows an attacker to gain complete control over the OPNsense firewall, effectively compromising the entire network it protects. An attacker could install malware, steal sensitive data, modify firewall rules to facilitate further attacks, or use the firewall as a pivot point to attack other systems on the network. Given the root privileges required for the DHCP configuration, the blast radius extends to the entire underlying operating system and any connected resources. This vulnerability shares similarities with other command injection flaws where unsanitized input is directly passed to shell commands, potentially leading to system takeover.
Ausnutzungskontext
CVE-2026-45158 was published on May 13, 2026. Its CRITICAL CVSS score reflects the ease of exploitation and the potential for significant impact. Currently, there are no publicly available exploits, but the vulnerability's severity suggests it is likely to attract attention from malicious actors. The lack of a KEV listing does not diminish the risk, as it is relatively new. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Hoch — Administrator- oder Privilegienkonto erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Geändert — Angriff kann über die anfällige Komponente hinaus auf andere Systeme übergreifen.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
Mitigation und Workarounds
The primary mitigation is to immediately upgrade OPNsense Firewall to version 26.1.8 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. Restrict access to the DHCP configuration interface to trusted administrators only. Implement strict input validation on any user-supplied data used in DHCP configuration scripts. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block command injection attempts targeting DHCP configuration endpoints can provide an additional layer of defense. Monitor system logs for suspicious activity related to DHCP configuration changes.
So behebenwird übersetzt…
Actualice su instalación de OPNsense a la versión 26.1.8 o posterior para mitigar esta vulnerabilidad. La actualización corrige la falta de sanitización de la entrada del usuario en la configuración DHCP, previniendo la ejecución remota de código.
Häufig gestellte Fragen
What is CVE-2026-45158 — Command Injection in OPNsense Firewall?
CVE-2026-45158 is a critical vulnerability in OPNsense Firewall versions 26.1.0 to 26.1.7 that allows attackers to execute commands as root through the DHCP configuration interface.
Am I affected by CVE-2026-45158 in OPNsense Firewall?
You are affected if you are running OPNsense Firewall versions 26.1.0 through 26.1.7. Upgrade to 26.1.8 or later to resolve the issue.
How do I fix CVE-2026-45158 in OPNsense Firewall?
The recommended fix is to upgrade to OPNsense Firewall version 26.1.8 or later. If immediate upgrade is not possible, restrict access to the DHCP configuration and consider WAF rules.
Is CVE-2026-45158 being actively exploited?
While no public exploits are currently known, the vulnerability's severity suggests it is likely to attract malicious attention. Continuous monitoring is advised.
Where can I find the official OPNsense advisory for CVE-2026-45158?
Refer to the official OPNsense security advisory on their website: [https://opnsense.org/security/advisories/](https://opnsense.org/security/advisories/)
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...