CVE-2019-25369 in OPNsenseinfo

Summary

by MITRE • 02/15/2026

OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. Attackers can submit POST requests with script payloads that are stored and executed in the context of authenticated user sessions when the page is viewed.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/20/2026

The vulnerability CVE-2019-25369 represents a critical stored cross-site scripting flaw within OPNsense version 19.1, specifically affecting the system_advanced_sysctl.php web endpoint. This security weakness resides in the application's handling of user input through the tunable parameter, which fails to properly sanitize or validate malicious content submitted via POST requests. The flaw enables attackers to inject persistent malicious scripts that become permanently stored within the system's configuration, creating a long-term security risk that persists across user sessions and system reboots. The vulnerability's classification as a stored XSS issue means that malicious payloads are not merely reflected in responses but are actually saved and executed whenever the affected page is accessed by authenticated users.

The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the OPNsense web interface. When administrators or users navigate to the system advanced sysctl page, the application processes the tunable parameter without adequate sanitization, allowing script code to be stored directly in the system configuration files. This creates a persistent threat vector where attackers can craft malicious payloads that execute in the context of authenticated user sessions, potentially with elevated privileges depending on the user's access level. The vulnerability specifically targets the system_advanced_sysctl.php endpoint, which handles kernel parameter tuning configurations, making it particularly dangerous as it resides in a critical system management interface.

The operational impact of CVE-2019-25369 extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including credential theft, session hijacking, and privilege escalation. Since the vulnerability affects authenticated sessions, attackers can potentially gain access to sensitive system configurations, network settings, and administrative functions that would otherwise be restricted to authorized personnel. The stored nature of the vulnerability means that even if users do not immediately view the affected page, the malicious code remains active and ready to execute when the page is accessed, creating a persistent backdoor. This flaw aligns with CWE-79, which describes cross-site scripting vulnerabilities, and can be mapped to ATT&CK technique T1059.007 for scripting execution, as well as T1566 for credential access through malicious scripts.

Mitigation strategies for this vulnerability require immediate patching of OPNsense systems to version 19.1.10 or later, which contains the necessary fixes for the stored XSS issue. Organizations should implement network segmentation to limit access to administrative interfaces and enforce strict access controls for system configuration pages. Security monitoring should be enhanced to detect suspicious POST requests containing script payloads, particularly those targeting system_advanced_sysctl.php endpoints. Regular security assessments of web application inputs and outputs should be conducted to identify similar validation gaps, with emphasis on parameter handling within administrative interfaces. System administrators should also consider implementing web application firewalls and input validation rules specifically designed to prevent script injection attacks in configuration management interfaces. The vulnerability demonstrates the critical importance of proper input sanitization in administrative web interfaces, as highlighted by industry best practices for secure coding and the OWASP Top Ten security risks.

Responsible

VulnCheck

Reservation

02/15/2026

Disclosure

02/15/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00199

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!