{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/opnsense/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-34578"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ldap-injection","vulnerability","opnsense"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOPNsense, a FreeBSD-based firewall and routing platform, is susceptible to an LDAP injection vulnerability (CVE-2026-34578) in versions prior to 26.1.6. The vulnerability stems from the LDAP authentication connector\u0026rsquo;s failure to sanitize the login username before incorporating it into an LDAP search filter. This oversight enables unauthenticated attackers to inject LDAP filter metacharacters through the username field of the WebGUI login page. This allows for enumeration of valid LDAP usernames. Furthermore, if the LDAP server configuration employs an Extended Query to limit login access to specific group members, the same injection technique can circumvent this restriction, enabling authentication as any LDAP user with a known password, irrespective of their group affiliation. The vulnerability is resolved in OPNsense version 26.1.6.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker accesses the OPNsense WebGUI login page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious username containing LDAP filter metacharacters.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted username along with a password (if attempting to bypass group restrictions) through the WebGUI login form.\u003c/li\u003e\n\u003cli\u003eThe OPNsense LDAP authentication connector receives the username.\u003c/li\u003e\n\u003cli\u003eThe connector incorporates the unsanitized username directly into an LDAP search filter.\u003c/li\u003e\n\u003cli\u003eThe LDAP server executes the injected LDAP query.\u003c/li\u003e\n\u003cli\u003eThe LDAP server returns results based on the injected filter, potentially revealing valid usernames or authenticating the attacker as an unintended user.\u003c/li\u003e\n\u003cli\u003eIf successful in bypassing group restrictions, the attacker gains unauthorized access to the OPNsense system with the privileges of the targeted LDAP user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can allow attackers to enumerate valid usernames within the LDAP directory, potentially aiding in further attacks such as credential stuffing. More critically, it allows attackers to bypass group membership restrictions, granting them unauthorized access to the OPNsense system and the network it protects. This could lead to data breaches, system compromise, and disruption of services. The specific impact depends on the privileges associated with the compromised LDAP user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OPNsense to version 26.1.6 or later to patch CVE-2026-34578 immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OPNsense LDAP Injection Attempts\u003c/code\u003e to identify exploitation attempts based on specific LDAP metacharacters in HTTP requests.\u003c/li\u003e\n\u003cli\u003eReview OPNsense webserver logs for unusual patterns in the username field of login requests.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to filter out LDAP metacharacters in the username field of login requests to mitigate the risk of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T15:16:10Z","date_published":"2026-04-09T15:16:10Z","id":"/briefs/2024-02-29-opnsense-ldap-injection/","summary":"OPNsense versions prior to 26.1.6 are vulnerable to LDAP injection, allowing unauthenticated attackers to enumerate valid LDAP usernames and bypass group membership restrictions via the WebGUI login page.","title":"OPNsense LDAP Injection Vulnerability (CVE-2026-34578)","url":"https://feed.craftedsignal.io/briefs/2024-02-29-opnsense-ldap-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Opnsense","version":"https://jsonfeed.org/version/1.1"}