CVE-2025-50989

Name of the Vulnerable Software and Affected Versions: OPNsense version 25.1

Description: OPNsense version 25.1 contains an authenticated command injection issue in the Bridge Interface Edit endpoint (interfaces bridge edit.php). The span POST parameter is concatenated into a system-level command without proper sanitization, allowing an administrator to inject arbitrary shell operators and payloads. Successful exploitation could lead to remote code execution with the privileges of the web service, potentially resulting in full system compromise or lateral movement. This is due to inadequate input validation and improper handling of user-supplied data in backend command invocations.

Recommendations: Update to a newer version that contains a fix for this issue. As a temporary workaround, restrict access to the interfaces bridge edit.php endpoint. Sanitize or escape the span POST parameter before using it in system-level commands.