OPNsense CVE-2026-57155: Root RCE via GeoIP Alias

OPNsense CVE-2026-57155

OPNsense CVE-2026-57155 (CVSS 9.9) is a path-traversal flaw in the firewall’s GeoIP alias importer that lets a low-privileged user escalate to full root remote code execution. It is the fifth critical or high-severity OPNsense vulnerability disclosed since May 2026, and it matters disproportionately for German Mittelstand IT teams and MSPs because OPNsense’s free, open-source model has made it a default firewall choice across the region.

What Happened

OPNsense’s GeoIP alias feature downloads a country-code database from a configurable address and processes it with root privileges. Researchers found that earlier OPNsense versions validated neither the source address nor the contents of that database file. An attacker who can redirect the GeoIP source — reachable by any user holding only the “Firewall: Alias: Edit” permission, not full administrative access — can host a maliciously crafted database whose unsanitized country_code field is used directly as an output filename. Combined with directory traversal, this writes attacker-controlled content to an attacker-chosen path as root.

On its own, that arbitrary root file write is bad enough. Chained with OPNsense’s default newsyslog cronjob, it escalates to full remote code execution as root — meaning complete firewall takeover. The researcher, supported by Hacking Cult GmbH, disclosed the issue through OPNsense’s coordinated disclosure process; the vendor responded quickly and shipped a complete fix in version 26.1.11. Versions before 26.1.10 are affected.

This is not an isolated incident. OPNsense has now disclosed five critical or high-severity remote-code-execution and privilege-escalation CVEs since May 12, 2026 alone: CVE-2026-44193 (CVSS 9.1, RCE via the XMLRPC library), CVE-2026-44194 (root RCE via a crafted username), CVE-2026-45158 (root RCE via a manipulated DHCP hostname), CVE-2026-44195 (login lockout bypass), and now CVE-2026-57155. Public proof-of-concept code exists for several of these. There is no confirmed active exploitation of CVE-2026-57155 in the wild as of this writing, but mass scanning activity has historically followed similar OPNsense disclosures within about a week.

Why It Matters

OPNsense is a common firewall choice for cost-conscious German SMBs and the managed service providers who run infrastructure on their behalf — precisely because it is free, open-source, and capable. That popularity is exactly what makes the low privilege bar on this vulnerability significant: “Firewall: Alias: Edit” is a permission many MSPs delegate to junior technicians, or even expose to client-side users who need to manage geo-blocking rules, without expecting it to be a path to full root access. An account that was never meant to hold administrative trust can end up controlling the entire perimeter device.

For NIS2-regulated entities, a compromised firewall is a compromised network boundary — the kind of single point of failure that undermines segmentation controls documented in a risk assessment, regardless of how well other layers are configured.

What You Should Do Now

  1. Upgrade to OPNsense 26.1.11 immediately; this single release addresses CVE-2026-57155 along with the other four CVEs disclosed since May.
  2. Audit which accounts hold the “Firewall: Alias: Edit” permission (or any alias/GeoIP-related permission) and confirm none of them are held by unmanaged or client-side accounts without a documented business need.
  3. If you cannot patch immediately, disable or restrict GeoIP alias functionality and verify the configured GeoIP source URL has not been altered from the vendor default.
  4. Review firewall configuration logs for unexpected changes to GeoIP alias source addresses, and check for unfamiliar files written outside expected directories following any newsyslog rotation event.

DIESEC Perspective

This is the pattern we see repeatedly in Mittelstand environments: a permission that looks operationally harmless — “just edit a firewall alias” — turns out to be a full privilege-escalation primitive once you trace the actual code path. Five OPNsense CVEs in two months is also a reminder that “open-source and free” does not mean “lower attack surface”; it means the patch cadence has to be part of someone’s job description, not an occasional afterthought.

Not sure whether your OPNsense deployment’s user permission model has this kind of gap? Contact DIESEC for a rapid firewall configuration and permissions review.

Sources: Heise Security | HackerAsk (Discoverer Writeup)
Published: 2026-07-07 | Category: Vulnerabilities & Patches | ~4 min read