Security readout for executives and security teams
Plain-English summary
CVE-2019-25371 is a reflected cross-site scripting issue in OPNsense 19.1. An attacker could trick a user into interacting with a crafted request that causes JavaScript to run in that user’s browser. Business risk is highest where the OPNsense management interface is reachable by untrusted networks or administrators use exposed web sessions.
Executive priority
Prioritize remediation for internet-exposed or broadly reachable OPNsense management interfaces. For tightly restricted admin networks, handle through normal patch management. The risk is moderate because exploitation needs user interaction, but successful abuse could affect administrator browser sessions and trust boundaries.
Technical view
OPNsense 19.1 insufficiently validates the host parameter on diag_ping.php, enabling unauthenticated reflected XSS via crafted POST input. The CVSS 3.1 score is 6.1, with low complexity, no privileges required, user interaction required, changed scope, and low confidentiality and integrity impact. CWE-79 applies.
Likely exposure
Systems running OPNsense 19.1 are potentially exposed, especially if the web management interface is accessible beyond trusted administrative networks. The issue requires user interaction, so exposure depends on whether an attacker can induce an administrator or other user to interact with malicious content.
Exploitation context
A public ExploitDB entry is cited, indicating exploit information is available. The source bundle does not identify CISA KEV listing or confirmed active exploitation. Treat this as a credible but interaction-dependent web UI risk, not as evidence of ongoing exploitation.
Researcher notes
The provided record is specific to OPNsense 19.1 and diag_ping.php reflected XSS. Do not generalize to other OPNsense versions without vendor evidence. Public exploit availability increases validation urgency, but the bundle does not prove active exploitation or list KEV status.
Mitigation direction
- Identify any OPNsense 19.1 systems in inventory.
- Review OPNsense 19.1.1 release guidance cited as the patch reference.
- Upgrade or apply vendor-recommended fixes where applicable.
- Restrict management interface access to trusted administrative networks.
- Use browser and session hygiene for firewall administration.
Validation and detection
- Confirm installed OPNsense version on managed firewall systems.
- Verify whether diag_ping.php is reachable from untrusted networks.
- Check that management access is limited to approved administrators and networks.
- Review web logs for suspicious requests to diag_ping.php.
- Confirm remediation against vendor release notes or advisory guidance.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2019-25371 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.1 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N2.82.7Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
6.1MediumVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Source materials
- CVE List V5 sourceCVE List V5
- ExploitDB-46351CVE reference · exploit
- OPNsense Official WebsiteCVE reference · product
- OPNsense 19.1.1 Release AnnouncementCVE reference · patch
- VulnCheck Advisory: OPNsense 19.1 Reflected XSS via diag_ping.phpCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
