CVE-2019-25369 Overview
CVE-2019-25369 is a stored cross-site scripting (XSS) vulnerability in OPNsense 19.1 that affects the system_advanced_sysctl.php endpoint. This vulnerability allows authenticated attackers to inject persistent malicious scripts via the tunable parameter, which are then stored and executed in the context of other authenticated user sessions when the affected page is viewed.
Critical Impact
Attackers can compromise administrative sessions, steal credentials, and potentially gain full control of the OPNsense firewall appliance through persistent script injection.
Affected Products
- OPNsense 19.1
- OPNsense firewall appliances running vulnerable firmware versions
Discovery Timeline
- 2026-02-15 - CVE-2019-25369 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2019-25369
Vulnerability Analysis
This stored cross-site scripting vulnerability exists in the system tunables management interface of OPNsense 19.1. The system_advanced_sysctl.php endpoint fails to properly sanitize user-supplied input in the tunable parameter before storing it in the system configuration and rendering it back to users.
When an attacker submits a POST request containing JavaScript payloads in the tunable parameter, the malicious content is persisted in the system configuration. Subsequently, when any authenticated administrator or user views the System Tunables page, the stored script executes within their browser session with full access to their authentication context.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically as a stored/persistent XSS variant which is more dangerous than reflected XSS because the payload persists across page loads and can affect multiple users.
Root Cause
The root cause of this vulnerability is insufficient input validation and output encoding in the system_advanced_sysctl.php script. The application accepts user-controlled data for system tunable parameters without properly sanitizing special characters that have meaning in HTML/JavaScript contexts. When this data is later displayed on the page, it is rendered as executable code rather than being safely escaped as text content.
Attack Vector
The attack requires network access and authenticated access to the OPNsense web interface. An attacker with valid credentials can navigate to the System Tunables configuration page and submit a POST request containing malicious JavaScript code within the tunable parameter field. Once stored, any user accessing the tunables page will have the malicious script execute in their browser session.
This stored XSS attack can be leveraged to steal session cookies, perform actions on behalf of administrators, modify firewall configurations, create new administrative accounts, or redirect users to malicious sites. The attack surface is particularly concerning given that OPNsense is typically used as a network security appliance.
For technical details on the exploitation technique, refer to the Exploit-DB entry #46351 and the VulnCheck OPNsense Advisory.
Detection Methods for CVE-2019-25369
Indicators of Compromise
- Unusual or suspicious entries in the System Tunables configuration containing JavaScript code or HTML tags
- Web server logs showing POST requests to system_advanced_sysctl.php with encoded script payloads
- Unexpected administrative account creation or privilege modifications
- Browser developer console errors related to cross-origin requests or blocked scripts
Detection Strategies
- Monitor HTTP POST requests to system_advanced_sysctl.php for script tags, event handlers, or encoded JavaScript patterns
- Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in form submissions
- Review system tunable configurations periodically for entries containing non-standard characters or HTML/script content
- Enable Content Security Policy (CSP) headers to detect and report inline script execution attempts
Monitoring Recommendations
- Configure centralized logging for all OPNsense web interface access and modification events
- Set up alerts for modifications to system tunables from unusual IP addresses or at unusual times
- Monitor for session anomalies that may indicate stolen credentials or session hijacking
- Implement audit logging for all administrative configuration changes
How to Mitigate CVE-2019-25369
Immediate Actions Required
- Upgrade OPNsense to a patched version beyond 19.1 that includes XSS protections
- Review existing system tunable configurations for suspicious or malicious entries
- Restrict access to the OPNsense administrative interface to trusted networks only
- Implement multi-factor authentication for administrative access
Patch Information
OPNsense users should upgrade to a version newer than 19.1 to address this vulnerability. Consult the OPNsense Official Website for the latest stable release and upgrade procedures. Additional information about this vulnerability can be found in the OPNsense Forum Topic.
Workarounds
- Limit administrative interface access to trusted IP addresses using firewall rules
- Implement a reverse proxy with WAF capabilities in front of the OPNsense web interface to filter XSS payloads
- Disable or restrict access to the System Tunables page if not actively required
- Use network segmentation to isolate management interfaces from general user networks
# Example: Restrict web GUI access to management VLAN only
# Add firewall rule to limit access to port 443 on OPNsense
# Navigate to Firewall > Rules > WAN
# Create a block rule for destination port 443 from untrusted networks
# Allow only management VLAN (e.g., 192.168.10.0/24) to access GUI
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
