cbcvebase.
CVE-2025-14558
published 2026-03-09

CVE-2025-14558: The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to…

PriorityP356high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
6.27%
92.7th percentile
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed.

Affected

6 ranges
VendorProductVersion rangeFixed in
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd>= 13.5-RELEASE < p8p8
freebsdfreebsd>= 14.3-RELEASE < p7p7
freebsdfreebsd>= 15.0-RELEASE < p1p1

Detection & IOCsextracted from sources · hover to see the quote

command$() substitution in DNSSL domain name fields of IPv6 Router Advertisement
snort
alert ip any any -> $HOME_NET any (msg:"ET EXPLOIT FreeBSD rtsold DNSSL Remote Code Execution (CVE-2025-14558)"; content:"|1f|"; pcre:"/^.{7,64}[\x3b\x26\x60\x7c\x24]/R"; icmpv6.hdr; content:"|86 00|"; startswith; reference:url,github.com/JohannesLks/CVE-2025-14558; reference:cve,2025-14558; classtype:bad-unknown; sid:2066447; rev:1; metadata:attack_target Client_and_Server, created_at 2025_12_23, cve CVE_2025_14558, deployment Perimeter, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2025_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|86 00| (ICMPv6 Router Advertisement type/code bytes)
bytes
|1f| (DNSSL option type=31 in ICMPv6 RA)
  • Detect malicious IPv6 Router Advertisement (ICMPv6 type 134, code 0 — bytes |86 00|) containing a DNSSL option (type 31 — byte |1f|) with shell metacharacters (;, &, `, |, $) within the first 7–64 bytes of the option body, as matched by the ET rule pcre /^.{7,64}[\x3b\x26\x60\x7c\x24]/R.
  • Attack requires Layer 2 adjacency (same network segment); Router Advertisement messages are not routable and should be dropped by routers, so monitoring should focus on internal/perimeter segments.
  • Target identification: FreeBSD hosts with ACCEPT_RTADV enabled on a network interface are vulnerable. Check for 'ACCEPT_RTADV' in ifconfig(8) nd6 option list to identify exposed systems.
  • Exploit sends crafted RA packets to the IPv6 all-nodes multicast address ff02::1 from a link-local source (fe80::1), with the DNSSL option (RFC 6106) carrying $()-wrapped shell commands encoded as DNS wire-format labels.
  • The injection vector is $() command substitution placed inside a DNS label within the DNSSL option; payloads longer than 63 bytes are split across multiple labels. Monitor for anomalous DNS-wire-format labels containing shell metacharacters in ICMPv6 RA traffic.
  • ·The Snort/Suricata ET rule (sid:2066447) is rated 'confidence Medium' and 'performance_impact Moderate'; tune accordingly in high-traffic IPv6 environments.
  • ·Systems not using IPv6, or IPv6 systems not configured to accept router advertisement messages (ACCEPT_RTADV absent), are not affected and do not require detection tuning for this CVE.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.