CVE-2026-44193: RCE in OPNsense Firewall
Platform
linux
Component
opnsense
Fixed in
26.1.7
CVE-2026-44193 describes a Remote Code Execution (RCE) vulnerability affecting OPNsense, a FreeBSD-based firewall and routing platform. This flaw stems from insufficient input sanitization within the opnsense.restoreconfigsection XMLRPC method, allowing attackers to potentially execute arbitrary code on vulnerable systems. The vulnerability impacts OPNsense versions 26.1.0 through 26.1.6 and is resolved in version 26.1.7.
Impact and Attack Scenarios
Successful exploitation of CVE-2026-44193 grants an attacker complete control over the affected OPNsense firewall. This includes the ability to modify firewall rules, steal sensitive data (such as VPN credentials or configuration files), install malware, and pivot to other systems on the network. Given the firewall's position as a network gateway, a compromised OPNsense instance can serve as a launchpad for widespread attacks, potentially impacting all internal resources. The RCE nature of the vulnerability means that even unauthenticated attackers could potentially exploit it, depending on the firewall's configuration.
Exploitation Context
CVE-2026-44193 was published on May 13, 2026. Its criticality (CVSS 9.1) indicates a high probability of exploitation. As of this writing, there are no publicly known active campaigns targeting this vulnerability, but the ease of exploitation and the critical nature of firewalls suggest it will likely become a target. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring. Public Proof-of-Concept (POC) code is likely to emerge, increasing the risk of exploitation.
Threat Intelligence
Exploit Status
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-44193 is to immediately upgrade OPNsense to version 26.1.7 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider temporarily disabling the XMLRPC interface or restricting access to it via firewall rules. While not a complete fix, this can reduce the attack surface. Monitor OPNsense logs for suspicious XMLRPC activity, particularly requests containing unusual or unexpected data. After upgrading, verify the fix by attempting to trigger the vulnerable opnsense.restoreconfigsection method with a crafted payload; it should now be properly sanitized and fail to execute code.
How to fix
Actualice OPNsense a la versión 26.1.7 o posterior para mitigar la vulnerabilidad de ejecución remota de código (RCE) en el método opnsense.restore_config_section. Esta actualización corrige la falta de sanitización de la entrada del usuario, previniendo la ejecución de código malicioso a través del endpoint XMLRPC. Consulte la documentación oficial de OPNsense para obtener instrucciones detalladas sobre cómo actualizar su sistema.
Frequently asked questions
What is CVE-2026-44193 — RCE in OPNsense?
CVE-2026-44193 is a critical Remote Code Execution vulnerability in OPNsense firewalls, allowing attackers to execute arbitrary code due to insufficient input sanitization in the XMLRPC interface. It affects versions 26.1.0 through 26.1.6.
Am I affected by CVE-2026-44193 in OPNsense?
You are affected if you are running OPNsense version 26.1.0, 26.1.1, 26.1.2, 26.1.3, 26.1.4, 26.1.5, or 26.1.6. Verify your version using the opnsense version command.
How do I fix CVE-2026-44193 in OPNsense?
Upgrade OPNsense to version 26.1.7 or later. As a temporary workaround, disable the XMLRPC interface or restrict access to it via firewall rules.
Is CVE-2026-44193 being actively exploited?
While no active campaigns are currently known, the vulnerability's criticality and ease of exploitation suggest it is likely to become a target. Monitor your systems closely.
Where can I find the official OPNsense advisory for CVE-2026-44193?
Refer to the official OPNsense security advisory for detailed information and updates: [https://opnsense.org/security/advisories/](https://opnsense.org/security/advisories/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...