An attacker can supply a crafted file name to diag_backup.php, causing the system call that performs the backup to execute arbitrary code in the context of root. The flaw arises from insufficient validation of a user-supplied string before it is passed to the operating system. The vulnerability is a classic command injection that can lead to full system compromise if triggered. The description indicates that this can be triggered by a network‑adjacent attacker who has authenticated access to the OPNsense web interface.

This vulnerability affects the Deciso open‑source firewall platform OPNsense. No specific version range is provided in the advisory, so all installs running the affected code path are considered at risk until an update is applied.

The CVSS score of 6.8 reflects moderate baseline severity for RCE, but the requirement for authenticated access lowers the likelihood of exploitation in unprotected environments. The EPSS score of less than 1% suggests that, as of the latest data, exploitation attempts have been infrequent. The vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploitation has been reported. Attackers who can bypass authentication or gain legitimate credentials on the device could exploit this weakness through the web interface or an exposed backup endpoint.