OPNsense Command Injection Vulnerability in Bridge Interface Edit Endpoint

A command injection vulnerability has been identified in OPNsense version 25.1, specifically within the Bridge Interface Edit endpoint (interfaces_bridge_edit.php). This vulnerability allows authenticated administrators to inject arbitrary shell commands through the span POST parameter, which is improperly sanitized before being executed. Exploitation of this flaw results in remote code execution with root privileges, potentially leading to a complete system compromise or unauthorized lateral movement within the network.

Impact

Exploitation of this vulnerability allows for remote code execution with root privileges, potentially compromising the entire system or facilitating lateral movement to other systems.

Reproduction

To reproduce this vulnerability, an authenticated administrator can send a POST request to the Bridge Interface Edit endpoint (interfaces_bridge_edit.php) with the span parameter included. The span parameter can be crafted to include arbitrary shell commands and operators, which will be executed on the server.