OPNsense 25.7.8 — Key Changes, Security Enhancements, and What You Need to Know

The latest OPNsense update, version 25.7.8, has just been released, bringing with it a strong focus on improved security, safer command execution, and several enhancements across the system. As an MSP working extensively with firewalls and network infrastructure, we keep a close eye on updates that affect security posture, system reliability, and long-term stability — and this one is worth your attention.

Below, we’ve included a short breakdown of the most important changes, along with our detailed video overview.

Major Security Improvements

A key theme in this release is safer command execution. The OPNsense team has rewritten the Shell class and audited all related calls to reduce potential command injection risks. While the issue referenced in the release notes wasn’t an exploitable vulnerability in typical deployments, it sparked a wider internal cleanup and modernisation effort.

This update lays the groundwork for further hardening expected in the lead-up to OPNsense 26.1.

Unbound Blocklists Now in the Community Edition

One of the most notable changes is the introduction of the enhanced Unbound Blocklists into the Community Edition.
Previously exclusive to the Business Edition, the feature is now available to everyone.

If you apply DNS filtering, be aware:

• Your existing blocklist configuration may not automatically regenerate

• You should reapply or verify your settings after the update

This is a welcome enhancement that strengthens DNS-level security for all users.

Kernel and Virtualisation Improvements

This update also includes a new kernel, particularly improving the vtnet driver — good news for anyone deploying OPNsense on Proxmox, ESXi, or other virtualised environments.

These stability and performance improvements should benefit most cloud and virtual deployments

Additional Notable Updates

Here are some other important enhancements included in 25.7.8:

• Revised PPPoE behaviour when CARP is disabled

• Fixes for packet capture and ping functions

• Improved firewall live logging

• Better CNAME handling within Unbound

• IPsec enhancements including AES256GCM16 support

• Plugin updates including FreeRADIUS, FRR, and a new IPv6 NDP Proxy

• Multiple upstream port updates (curl, OpenVPN, PHP, NSS, PCRE2)

Should You Apply the Update Now?

For most environments: Yes — but double-check Unbound blocklists after upgrading.

This release includes significant security improvements and fixes, making it a beneficial update for the majority of deployments. As always, test first if you operate a complex or high-availability environment.

If you’d like assistance with OPNsense upgrades, firewall deployment, or network hardening, our team at Sheridan Computers can help.