Volerion logoVolerion
Volerion logoVolerion

Deciso OPNsense Command Injection Vulnerability in diag_backup.php Allowing Remote Code Execution

Vulnerability

A command injection vulnerability has been identified in the Deciso OPNsense web interface, specifically in the diag_backup.php file. This vulnerability allows authenticated, network-adjacent attackers to execute arbitrary code with root privileges on the affected system. The issue arises from inadequate validation of user-supplied input, which is used to execute system commands. As a result, attackers can manipulate the input to execute malicious code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system, with the executed code running in the context of the root user.

Remediation

Deciso has released a patch for this vulnerability. Users are advised to update to the latest version of OPNsense. Instructions for updating can be found in the OPNsense documentation.

Added: Feb 20, 2026, 11:24 PM
Updated: Feb 20, 2026, 11:24 PM

Vulnerability Rating

Custom Algorithm
spread
5.7
impact
7.5
exploitability
4.2
remediation
7.7
relevance
3.2
threat
3.2
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.