CVE-2019-25374 Overview
CVE-2019-25374 is a reflected cross-site scripting (XSS) vulnerability affecting OPNsense 19.1, an open-source firewall and routing platform. The vulnerability exists in the vpn_ipsec_settings.php file, where the passthrough_networks parameter fails to properly sanitize user-supplied input. Attackers can exploit this flaw by crafting malicious POST requests containing JavaScript payloads, which are then reflected back and executed in the context of authenticated users' browsers.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript code in the browser sessions of OPNsense administrators, potentially leading to session hijacking, credential theft, or unauthorized configuration changes to network security infrastructure.
Affected Products
- OPNsense 19.1
Discovery Timeline
- 2026-02-15 - CVE-2019-25374 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2019-25374
Vulnerability Analysis
This reflected XSS vulnerability occurs within the IPsec VPN settings management interface of OPNsense. When administrators access the vpn_ipsec_settings.php page to configure IPsec passthrough networks, the application fails to properly encode or sanitize the passthrough_networks parameter before reflecting it in the response. This allows an attacker to inject malicious script content that executes in the victim's browser with the same privileges as the authenticated administrator.
The attack requires user interaction, as the victim must be tricked into submitting or clicking a crafted request. However, given that OPNsense is typically used as a network security appliance, successful exploitation could have significant consequences for the security of the entire network infrastructure.
Root Cause
The root cause of CVE-2019-25374 is improper input validation and output encoding in the vpn_ipsec_settings.php script. The passthrough_networks parameter is accepted from user input via POST requests and reflected back into the HTML response without adequate sanitization. This violates the fundamental security principle of treating all user input as untrusted and properly encoding output based on its context.
The vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), which is one of the most prevalent web application security weaknesses.
Attack Vector
The attack is network-based and requires an attacker to craft a malicious link or form that, when triggered by an authenticated OPNsense administrator, sends a POST request containing JavaScript code in the passthrough_networks parameter. The malicious script is then executed in the administrator's browser session.
A typical attack scenario involves:
- An attacker crafts a malicious page containing a hidden form that auto-submits a POST request to the vulnerable endpoint
- The attacker tricks an OPNsense administrator into visiting the malicious page (via phishing or other social engineering)
- The form submits automatically, sending the XSS payload to the OPNsense instance
- The payload executes in the administrator's browser context, allowing the attacker to steal session tokens, modify firewall rules, or perform other malicious actions
Technical details and proof-of-concept information are available through the Exploit-DB #46351 reference.
Detection Methods for CVE-2019-25374
Indicators of Compromise
- Unusual POST requests to /vpn_ipsec_settings.php containing script tags or JavaScript event handlers in the passthrough_networks parameter
- Web server logs showing encoded JavaScript payloads such as <script>, javascript:, or event handlers like onerror=, onload=
- Unexpected session activity or configuration changes following administrator access to IPsec settings
- Browser console errors or unexpected JavaScript execution on the OPNsense management interface
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block XSS patterns in requests to OPNsense management interfaces
- Monitor web server access logs for suspicious patterns in the passthrough_networks parameter field
- Deploy SentinelOne Singularity XDR to detect browser-based attacks and anomalous script execution on management workstations
- Enable Content Security Policy (CSP) headers to restrict inline script execution and report violations
Monitoring Recommendations
- Configure alerting for POST requests to vpn_ipsec_settings.php containing HTML or JavaScript syntax
- Monitor administrator session activity for signs of session hijacking or unauthorized configuration changes
- Implement logging and monitoring of all changes to IPsec VPN settings
- Review browser security logs from administrator workstations for evidence of XSS exploitation attempts
How to Mitigate CVE-2019-25374
Immediate Actions Required
- Upgrade OPNsense to a patched version newer than 19.1 that addresses this vulnerability
- Restrict access to the OPNsense web management interface to trusted IP addresses only
- Implement network segmentation to limit exposure of the management interface
- Train administrators to recognize and avoid potential XSS attack vectors such as suspicious links or phishing attempts
Patch Information
The vulnerability affects OPNsense version 19.1. Users should upgrade to the latest stable release of OPNsense, which includes fixes for this and other security issues. For additional information, refer to the OPNsense Forum Discussion and the VulnCheck OPNsense Advisory.
Workarounds
- Restrict management interface access to specific trusted IP addresses using firewall rules
- Access the OPNsense management interface only from dedicated, isolated management workstations
- Use a browser with strict XSS protection features and ensure it is up to date
- Consider implementing a reverse proxy with XSS filtering capabilities in front of the management interface
# Configuration example - Restrict OPNsense management access to trusted IPs
# Add these rules to limit access to the web GUI (typically on port 443)
# Replace 10.0.0.0/24 with your trusted management network
# In OPNsense Firewall Rules for the management interface:
# Action: Pass
# Interface: LAN (or management interface)
# Source: 10.0.0.0/24 (trusted management network)
# Destination: This Firewall
# Destination Port: 443 (HTTPS)
# Block all other access to the web GUI
# Action: Block
# Interface: Any
# Source: Any
# Destination: This Firewall
# Destination Port: 443
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
