CVE-2025-14558

HIGH

FreeBSD rtsold 15.x - Remote Code Execution via DNSSL

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-14558. PoCs published by Lukas Johannes Möller, JohannesLks, rockmelodies, including Metasploit module exploits/freebsd/misc/rtsold_dnssl_cmdinject.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in FreeBSD's rtsold via maliciously crafted DNSSL options in IPv6 Router Advertisement packets. The payload is encoded to bypass shell metacharacter validation and achieve remote code execution through resolvconf's unquoted variable expansion.

Description

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed.

Exploits (4)

exploitdb WORKING POC

by Lukas Johannes Möller · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52463

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in FreeBSD's rtsold via maliciously crafted DNSSL options in IPv6 Router Advertisement packets. The payload is encoded to bypass shell metacharacter validation and achieve remote code execution through resolvconf's unquoted variable expansion.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreeBSD rtsold (13.x, 14.x, 15.x before 2025-12-16 patches)

No auth needed

Prerequisites: Layer 2 adjacency to target · Target running rtsold with ACCEPT_RTADV enabled · Root privileges for raw socket access

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 14 stars

by JohannesLks · poc

https://github.com/JohannesLks/CVE-2025-14558

View Code ZIP pw:eip

This is a functional exploit for CVE-2025-14558, targeting a command injection vulnerability in FreeBSD's rtsold via maliciously crafted DNSSL options in IPv6 Router Advertisements. The PoC uses Scapy to send packets with embedded shell metacharacters, achieving remote code execution on vulnerable systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreeBSD rtsold (13.x, 14.x, 15.x before 2025-12-16)

No auth needed

Prerequisites: Layer 2 adjacency to target · Target running rtsold with ACCEPT_RTADV enabled · Root privileges for raw socket access

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by rockmelodies · poc

https://github.com/rockmelodies/Blackash-CVE-2025-14558

View Code ZIP pw:eip

This is a functional proof-of-concept exploit for CVE-2025-14558, demonstrating remote command injection via crafted IPv6 Router Advertisement packets targeting FreeBSD's rtsold service. It uses Scapy to send malicious DNSSL options that trigger command execution as root.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreeBSD rtsold (IPv6 Router Advertisement daemon)

No auth needed

Prerequisites: Network access to the same local segment as the target · Target running vulnerable rtsold service · IPv6 enabled on target

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Lukas Johannes Möller, Kevin Day · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/misc/rtsold_dnssl_cmdinject.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2025-14558, a command injection vulnerability in FreeBSD's rtsol(8) and rtsold(8) via malformed DNSSL options in IPv6 Router Advertisement packets. The exploit sends crafted packets to trigger command execution via shell substitution in resolvconf(8).

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreeBSD (versions before 13.5-RELEASE-p8 / 14.3-RELEASE-p7 / 15.0-RELEASE-p1)

No auth needed

Prerequisites: Layer 2 adjacency to target · Root privileges for raw packet injection

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Various Sources

https://sploitus.com/exploit?id=MSF:EXPLOIT-FREEBSD-MISC-RTSOLD_DNSSL_CMDINJECT-

Various Sources vendor-advisory

https://security.freebsd.org/advisories/FreeBSD-SA-25:12.rtsold.asc

Scores

CVSS v3 7.2

EPSS 0.0627

EPSS Percentile 92.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (3)

freebsd/freebsd 13.5 (8 CPE variants)

freebsd/freebsd 14.3 (7 CPE variants)

freebsd/freebsd 15.0

Published Mar 09, 2026

Tracked Since Feb 18, 2026