ZDI-25-1022 – OPNsense Backup Path Traversal Enables Root File Creation

ZDI-25-1022 describes a directory traversal vulnerability in the Deciso OPNsense firewall’s configuration backup handling that allows authenticated, network-adjacent attackers to create arbitrary files as root. The flaw arises from insufficient validation of user-supplied path parameters when processing backup configuration files, mapping to MITRE ATT&CK T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation). With valid credentials, an attacker can abuse the diag_backup.php functionality to write files anywhere on the filesystem, potentially leading to code execution or persistent backdoors in the firewall appliance. Because OPNsense is often deployed as a perimeter firewall or VPN concentrator, compromise of the device can provide attackers with powerful vantage points for traffic interception, lateral movement, or denial-of-service against protected networks. Even though exploitation requires authentication, credential theft via phishing, password reuse, or insider threats is common in real-world incidents. Once arbitrary file creation is possible, adversaries can plant malicious PHP scripts, alter configuration files, or tamper with system binaries to achieve durable control that may survive superficial remediation. For organizations, a compromised OPNsense instance undermines the integrity of network segmentation, VPN access control, and monitoring, putting sensitive internal systems at risk. Attackers who obtain root-level access to the firewall can exfiltrate traffic, weaken security controls, or stage further attacks while appearing as legitimate internal hosts. This has direct implications for compliance frameworks that assume the perimeter device is trustworthy, including PCI-DSS for cardholder data environments and sector-specific cyber regulations. Mitigation should focus on patching to the vendor-fixed release once available or applying interim configuration hardening, such as restricting access to the diagnostic and backup interfaces, enforcing strong MFA on admin accounts, and monitoring for suspicious backup operations. Security teams should audit firewall administrator account usage, look for unexpected files or web shells on OPNsense appliances, and ensure that backups are integrity-checked. Long term, organizations should treat perimeter devices as high-value assets with strict change management, comprehensive logging, and regular security assessments.