CVE-2026-45158 Overview
CVE-2026-45158 is a command injection vulnerability in OPNsense, a FreeBSD-based firewall and routing platform. Unsanitized user input is passed to the DHCP configuration of the configured interface and processed by a shell script. An authenticated attacker with high privileges can inject shell commands through this input, achieving remote code execution as root on the underlying operating system. The flaw affects all OPNsense versions prior to 26.1.8 and is tracked under [CWE-88: Argument Injection]. The vendor addressed the issue in OPNsense 26.1.8.
Critical Impact
Successful exploitation grants root-level remote code execution on the firewall appliance, compromising perimeter security controls and enabling pivoting into protected networks.
Affected Products
- OPNsense versions prior to 26.1.8
- OPNsense FreeBSD-based firewall and routing platform
- Web management interface DHCP configuration component
Discovery Timeline
- 2026-05-13 - CVE-2026-45158 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45158
Vulnerability Analysis
The vulnerability resides in how OPNsense processes DHCP configuration values for the configured network interface. User-supplied input flows from the management interface into a backend shell script without proper sanitization or argument separation. The shell interpreter evaluates attacker-controlled content as part of a command line, allowing arbitrary command execution.
Because the DHCP service and its supporting scripts run with elevated privileges, the injected commands execute as root. This grants full control over the firewall, including configuration files, cryptographic material, VPN credentials, and traffic inspection capabilities.
The issue is classified under [CWE-88] (Improper Neutralization of Argument Delimiters in a Command). Exploitation requires authenticated access with high privileges to the management interface, but is otherwise low-complexity and remotely reachable over the network.
Root Cause
The root cause is the absence of input validation and argument neutralization when DHCP configuration parameters are passed from the web UI into a shell script. Shell metacharacters and argument delimiters supplied by the user are interpreted by the shell instead of being treated as literal data.
Attack Vector
An authenticated administrator-level attacker submits crafted DHCP interface configuration values through the OPNsense management interface. When the backend shell script consumes these values, embedded shell syntax executes in the context of root. The attack vector is network-accessible and requires no user interaction beyond the attacker's own authenticated session.
No verified public proof-of-concept code is available. Refer to the OPNsense GitHub Security Advisory GHSA-5rx3-w735-74wm for vendor technical details.
Detection Methods for CVE-2026-45158
Indicators of Compromise
- Unexpected child processes spawned by DHCP-related shell scripts or dhcpd service wrappers on the OPNsense host.
- Modifications to system binaries, cron jobs, or /etc/rc.conf.local outside of normal administrative change windows.
- Outbound network connections originating from the firewall to unfamiliar external hosts, especially over non-management ports.
- Audit log entries showing DHCP configuration changes containing shell metacharacters such as backticks, $(...), ;, or &&.
Detection Strategies
- Inspect the OPNsense configd and web UI audit logs for DHCP interface configuration changes containing shell metacharacters.
- Monitor process execution telemetry on the firewall for shell processes spawned as children of DHCP configuration handlers.
- Compare installed OPNsense version against 26.1.8 across all firewall appliances to identify exposed systems.
Monitoring Recommendations
- Forward OPNsense system and audit logs to a centralized log platform for retention and correlation against management interface activity.
- Alert on any administrative authentication to the OPNsense web UI from non-approved source IP ranges.
- Track integrity of firewall configuration files and compare against known-good baselines after every change.
How to Mitigate CVE-2026-45158
Immediate Actions Required
- Upgrade all OPNsense instances to version 26.1.8 or later, which contains the official fix.
- Restrict access to the OPNsense management interface to a dedicated management VLAN or jump host.
- Rotate administrator credentials, API keys, and any secrets stored on the firewall after patching, assuming potential compromise on unpatched systems.
- Review recent DHCP interface configuration changes for suspicious values containing shell syntax.
Patch Information
OPNsense 26.1.8 remediates the vulnerability by sanitizing user input before it reaches the DHCP configuration shell script. See the OPNsense GitHub Security Advisory GHSA-5rx3-w735-74wm for vendor-issued release notes and upgrade guidance.
Workarounds
- Limit administrative accounts on the OPNsense web UI to a minimum set of trusted operators until the upgrade is complete.
- Enforce multi-factor authentication on all OPNsense administrator accounts to reduce the likelihood of credential-based access.
- Block network access to the OPNsense management interface from untrusted networks using upstream access control lists.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
