CVE-2025-13698 in OPNsense
Summary
by MITRE • 12/24/2025
Deciso OPNsense diag_backup.php filename Directory Traversal Arbitrary File Creation Vulnerability. This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Deciso OPNsense. Authentication is required to exploit this vulnerability.
The specific flaw exists within the handling of backup configuration files. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to create files in the context of root. Was ZDI-CAN-28133.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/04/2026
The CVE-2025-13698 vulnerability represents a critical directory traversal flaw in Deciso OPNsense's diag_backup.php component that enables authenticated attackers to create arbitrary files on affected systems. This vulnerability operates at the intersection of improper input validation and privilege escalation, creating a significant risk for network-adjacent adversaries who can leverage their authenticated access to compromise system integrity. The flaw specifically manifests in how the application processes user-supplied file paths during backup configuration operations, where inadequate sanitization allows attackers to manipulate the file creation process. This vulnerability is categorized under CWE-22 as a directory traversal weakness, where the application fails to properly validate and sanitize file paths before using them in file system operations. The security implications extend beyond simple file creation, as attackers can potentially place malicious files in critical system directories, leading to privilege escalation and persistent access. The vulnerability's impact is amplified by the fact that exploitation requires only authentication, making it accessible to users with valid credentials who may not have administrative privileges but can still leverage this flaw for system compromise.
The technical exploitation of this vulnerability occurs through manipulation of file path parameters within the diag_backup.php script, where user input is directly incorporated into file system operations without adequate validation or sanitization. Attackers can craft malicious backup file names that contain directory traversal sequences such as "../" or similar path manipulation techniques to navigate outside of intended directories and create files in arbitrary locations. This flaw allows attackers to potentially overwrite critical system files or create backdoor files in system directories, particularly those accessible to the root user context. The vulnerability's exploitation pathway aligns with ATT&CK technique T1059.001 for command and scripting interpreter and T1566.001 for credential access, as the attacker must first authenticate to the system before leveraging this path traversal capability. The root context execution risk is particularly concerning as it allows for system-level compromise that can bypass traditional user privilege boundaries and potentially provide attackers with persistent access to the network security appliance.
The operational impact of CVE-2025-13698 extends beyond immediate file creation capabilities to encompass broader system compromise and potential denial of service conditions. Network administrators may find their security appliances vulnerable to malicious file placement in critical directories such as /etc, /usr/local/etc, or other system configuration areas, potentially leading to configuration corruption or unauthorized access point establishment. The vulnerability's presence in the backup functionality means that attackers can potentially create malicious backup files that could be restored later, creating persistent threats that survive system reboots. This threat model aligns with ATT&CK tactic TA0003 (Persistence) and TA0004 (Privilege Escalation), as attackers can leverage the root context execution to establish long-term access mechanisms. The vulnerability's exploitation requires minimal skill level and can be automated, making it particularly dangerous for environments where multiple users have authentication access to the OPNsense interface. Organizations running OPNsense appliances with exposed management interfaces face significant risk, as the vulnerability can be exploited without requiring physical access or advanced technical knowledge. The combination of authentication requirement and arbitrary file creation capability creates a dangerous attack surface that can be leveraged for both immediate compromise and long-term persistence within network security infrastructure.
Organizations should implement immediate mitigations including applying the vendor-provided patches or updates that address the directory traversal vulnerability in diag_backup.php. Network segmentation and access control measures should be enhanced to limit the number of users with authentication access to the OPNsense management interface. Regular monitoring of system directories for unauthorized file creation and modification should be implemented as part of security operations procedures. The vulnerability's classification as a directory traversal issue necessitates implementing proper input validation and sanitization controls that prevent path manipulation attacks. Security teams should conduct comprehensive vulnerability assessments to identify any other components within OPNsense that may be susceptible to similar path traversal flaws. The mitigation strategy should include regular security audits of backup and restore functionality within the system, as well as implementing file integrity monitoring solutions to detect unauthorized file creation in critical system directories. Additionally, organizations should review their access control policies to ensure that only authorized personnel have the necessary privileges to perform backup operations, thereby limiting the potential attack surface for this vulnerability. The implementation of these controls aligns with security frameworks such as NIST SP 800-53 and ISO 27001 requirements for access control and system integrity protection.