Chasing the OPNsense RCE: The Story Behind My First CVEs (CVE-2026-57155)
I think every security researcher remembers their first CVE. For me, that milestone did not arrive as a single, low-impact bug. Instead, during one of my designated security research weeks at Hacking Cult, my deep dive into OPNsense yielded five accepted vulnerabilities. This milestone was capped off by a critical Remote Code Execution flaw with a 9.9 CVSS rating (CVE-2026-57155).
As a popular open-source FreeBSD-based firewall and routing platform, OPNsense sits at the edge of enterprise and home networks. The claim of OPNsense is to make digital security accessible to everyone by providing all the features of expensive commercial firewalls and more for free.
As penetration testers at our company, we regularly have the opportunity to spend time on security research and professional development. Because we rely heavily on open-source software, we decided to use this time to conduct penetration tests to help improve the ecosystem. In a community poll, OPNsense was suggested as a target, a perfect fit!
Over the course of five days, I was able to identify eight vulnerabilities. In the interest of responsible disclosure, this write-up will focus exclusively on the five that have already been patched. Of the remaining three, one was identified as a duplicate, while the other two are still under active review by the maintainers at the time of writing.
Thanks to the rapid and professional response of the OPNsense team, all five disclosed vulnerabilities have been successfully remediated.
In this post, I will walk you through the background story of this research week, briefly outline the four moderate bugs and finally, provide a deep-dive technical analysis of how I discovered and chained together CVE-2026-57155 to achieve full RCE.
A Week in the Code
The research kicked off with setting up an OPNsense instance on a virtual machine. I downloaded the source code of the OPNsense core and began diving straight in. My primary goal was to map out the applications attack surface, tracing the routing logic and the Phalcon-based Model-View-Controller (MVC) framework that powers the web interface.
To achieve this, a major cornerstone of my methodology was manual taint analysis. I extensively utilized ripgrep with custom regular expressions to hunt for potential sinks across the massive PHP codebase. By grepping for dangerous functions, such as file system operations, shell executions and unsanitized output, I could manually trace the execution flow backward to see if user-supplied input ever reached those sinks without proper validation.
... continue reading