OPNsense addresses code execution issue with POC available

Threat summary

On April 30, OPNsense released version 26.1.7 to address two security vulnerabilities affecting its firewall platform. Both issues were disclosed through official OPNsense security advisories published via GitHub and include proof-of-concept (POC) demonstrating exploitability.

The vulnerabilities affect OPNsense systems running version 26.1.6 or earlier and are resolved in version 26.1.7.

OPNsense is an open‑source firewall and routing platform based on FreeBSD. It is commonly deployed at the network perimeter to provide traffic filtering, virtual private networking (VPN), and centralized administration through a web‑based graphical user interface (WebGUI). The affected functionality is part of the OPNsense core codebase and is present in both Community Edition and Business Edition deployments derived from the impacted versions.

The first vulnerability, tracked as CVE-2026-44193, enables remote code execution (RCE) with root privileges on affected OPNsense systems. The vulnerability affects the XMLRPC configuration restore function and allows an authenticated user with XMLRPC Library privileges to inject operating system commands that execute with full administrative control.

Successful exploitation results in complete compromise of the firewall, including the ability to modify security policies, intercept or redirect network traffic, and use the device as a pivot point into protected environments. It has been assigned a CVSS score of 9.1 of 10, rated Critical.

The second vulnerability, tracked as CVE-2026-44195, is rated Moderate severity with a CVSS score of 5.3. It undermines authentication protection on affected OPNsense systems by allowing repeated login attempts without triggering account lockouts. The vulnerability does not grant direct access or administrative control; instead, it disables a core safeguard used to limit credential‑guessing activity against management interfaces.

By manipulating how authentication events are interpreted in system logs, a remote threat actor can continue password-guessing attempts indefinitely against both the web‑based management interface and password‑based Secure Shell (SSH). While rated Moderate due to its limited direct impact, the issue increases exposure to downstream compromise in environments with weak, reused, or externally exposed credentials.

Analysis

Together, these two vulnerabilities reduce the effectiveness of OPNsense as a security gateway until updates are applied. CVE-2026-44195 makes it easier for a threat actor to keep guessing passwords, especially where interfaces are reachable from the internet or credentials are reused. On its own, this issue does not give access, but it removes an important protection designed to slow or stop unauthorized logins.

CVE-2026-44193 carries much higher impact. If a threat actor gains access to an account with XMLRPC privileges, they can run commands as the root user and fully take over the firewall. This includes changing security rules, redirecting or inspecting network traffic, and using the firewall to access internal systems.

There is no confirmed exploit chain between using both issues, the lockout bypass increases the chance of account misuse, while the XMLRPC flaw’s worst-case scenario is complete firewall compromise.

Updating to OPNsense version 26.1.7 or later resolves both vulnerabilities and restores normal security controls.

Until updates are completed, risk is reduced by limiting access to the WebGUI, Secure Shell (SSH), and XMLRPC services so they are only reachable from trusted networks.

Reviewing authentication attempts and configuration changes can also help identify misuse of management access.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up