CVE-2025-14558
published 2026-03-09CVE-2025-14558: The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to…
PriorityP356high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
6.27%
92.7th percentile
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified.
resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | >= 13.5-RELEASE < p8 | p8 |
| freebsd | freebsd | >= 14.3-RELEASE < p7 | p7 |
| freebsd | freebsd | >= 15.0-RELEASE < p1 | p1 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert ip any any -> $HOME_NET any (msg:"ET EXPLOIT FreeBSD rtsold DNSSL Remote Code Execution (CVE-2025-14558)"; content:"|1f|"; pcre:"/^.{7,64}[\x3b\x26\x60\x7c\x24]/R"; icmpv6.hdr; content:"|86 00|"; startswith; reference:url,github.com/JohannesLks/CVE-2025-14558; reference:cve,2025-14558; classtype:bad-unknown; sid:2066447; rev:1; metadata:attack_target Client_and_Server, created_at 2025_12_23, cve CVE_2025_14558, deployment Perimeter, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2025_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)bytes↗
|86 00| (ICMPv6 Router Advertisement type/code bytes)
bytes↗
|1f| (DNSSL option type=31 in ICMPv6 RA)
- →Detect malicious IPv6 Router Advertisement (ICMPv6 type 134, code 0 — bytes |86 00|) containing a DNSSL option (type 31 — byte |1f|) with shell metacharacters (;, &, `, |, $) within the first 7–64 bytes of the option body, as matched by the ET rule pcre /^.{7,64}[\x3b\x26\x60\x7c\x24]/R.
- →Attack requires Layer 2 adjacency (same network segment); Router Advertisement messages are not routable and should be dropped by routers, so monitoring should focus on internal/perimeter segments. ↗
- →Target identification: FreeBSD hosts with ACCEPT_RTADV enabled on a network interface are vulnerable. Check for 'ACCEPT_RTADV' in ifconfig(8) nd6 option list to identify exposed systems. ↗
- →Exploit sends crafted RA packets to the IPv6 all-nodes multicast address ff02::1 from a link-local source (fe80::1), with the DNSSL option (RFC 6106) carrying $()-wrapped shell commands encoded as DNS wire-format labels. ↗
- →The injection vector is $() command substitution placed inside a DNS label within the DNSSL option; payloads longer than 63 bytes are split across multiple labels. Monitor for anomalous DNS-wire-format labels containing shell metacharacters in ICMPv6 RA traffic. ↗
- ·The Snort/Suricata ET rule (sid:2066447) is rated 'confidence Medium' and 'performance_impact Moderate'; tune accordingly in high-traffic IPv6 environments.
- ·Systems not using IPv6, or IPv6 systems not configured to accept router advertisement messages (ACCEPT_RTADV absent), are not affected and do not require detection tuning for this CVE. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m67m-4jp2-2c59: The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passe
ghsa_unreviewed·2026-03-09
CVE-2025-14558 [HIGH] CWE-20 GHSA-m67m-4jp2-2c59: The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passe
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified.
resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed.
BSD
FreeBSD-SA-25:12.rtsold: Remote code execution via ND6 Router Advertisements
bsd_advisories·2025-12-16·CVSS 7.2
CVE-2025-14558 [HIGH] FreeBSD-SA-25:12.rtsold: Remote code execution via ND6 Router Advertisements
FreeBSD-SA-25:12.rtsold Security Advisory
The FreeBSD Project
Topic: Remote code execution via ND6 Router Advertisements
Category: core
Module: rtsold
Announced: 2025-12-16
Credits: Kevin Day
Affects: All supported versions of FreeBSD.
Corrected: 2025-12-16 23:39:32 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:43:01 UTC (releng/15.0, 15.0-RELEASE-p1)
2025-12-16 23:45:05 UTC (stable/14, 14.3-STABLE)
2025-12-16 23:43:25 UTC (releng/14.3, 14.3-RELEASE-p7)
2025-12-16 23:44:10 UTC (stable/13, 13.4-STABLE)
2025-12-16 23:43:33 UTC (releng/13.5, 13.5-RELEASE-p8)
CVE Name: CVE-2025-14558
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
rtsold(8) and rtsol(8) are p
Suricata
ET EXPLOIT FreeBSD rtsold DNSSL Remote Code Execution (CVE-2025-14558)
suricata·2025-12-23·CVSS 7.2
CVE-2025-14558 [HIGH] ET EXPLOIT FreeBSD rtsold DNSSL Remote Code Execution (CVE-2025-14558)
ET EXPLOIT FreeBSD rtsold DNSSL Remote Code Execution (CVE-2025-14558)
Rule: alert ip any any -> $HOME_NET any (msg:"ET EXPLOIT FreeBSD rtsold DNSSL Remote Code Execution (CVE-2025-14558)"; content:"|1f|"; pcre:"/^.{7,64}[\x3b\x26\x60\x7c\x24]/R"; icmpv6.hdr; content:"|86 00|"; startswith; reference:url,github.com/JohannesLks/CVE-2025-14558; reference:cve,2025-14558; classtype:bad-unknown; sid:2066447; rev:1; metadata:attack_target Client_and_Server, created_at 2025_12_23, cve CVE_2025_14558, deployment Perimeter, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2025_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
Exploit-DB
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
exploitdb·2025-12-25·CVSS 7.2
CVE-2025-14558 [HIGH] FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
---
# Exploit Title: FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
# Date: 2025-12-16
# Exploit Author: Lukas Johannes Möller
# Vendor Homepage: https://www.freebsd.org/
# Version: FreeBSD 13.x, 14.x, 15.x (before 2025-12-16 patches)
# Tested on: FreeBSD 14.1-RELEASE
# CVE: CVE-2025-14558
#
# Description:
# rtsold(8) processes IPv6 Router Advertisement DNSSL options without
# validating domain names for shell metacharacters. The decoded domains
# are passed to resolvconf(8), a shell script that uses unquoted variable
# expansion, enabling command injection via $() substitution.
#
# Requirements:
# - Layer 2 adjacency to target
# - Target running rtsold with ACCEPT_RTADV enabled
# - Root privileges (raw socket for sending RA)
#
Metasploit
FreeBSD rtsold/rtsol DNSSL Command Injection
metasploit·CVSS 7.2
CVE-2025-14558 [HIGH] FreeBSD rtsold/rtsol DNSSL Command Injection
FreeBSD rtsold/rtsol DNSSL Command Injection
This module exploits a command injection vulnerability (CVE-2025-14558) in FreeBSD's rtsol(8) and rtsold(8) programs. These programs do not validate the domain search list options provided in IPv6 Router Advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. A lack of quoting means that shell commands passed as input to resolvconf(8) may be executed, enabling command injection via $() substitution in the DNSSL domain name fields. This exploit requires Layer 2 adjacency to the target (same network segment) and root privileges to send raw packets. Router advertisement messages are not routable and should be dropped by routers, so the attack does not cross n
No writeups or analysis indexed.
2026-03-09
Published