Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
HighPublic exploit

FreeBSD rtsol/rtsold DNSSL Router Advertisement Command Injection

IdentifiersCVE-2025-14558CWE-78

CVE-2025-14558 is a remote command injection vulnerability in FreeBSD's rtsol(8) and rtsold(8). The programs do not validate the Domain Name Search List (DNSSL) option received in IPv6 Router Advertisement (RA) messages and pass the option body unmodified to resolvconf(8). Because resolvconf(8) is implemented as a shell script and does not properly validate or quote its input, attacker-controlled shell metacharacters embedded in the DNSSL data can be interpreted as commands. As a result, a malicious RA sent on the local IPv6 network segment can trigger arbitrary shell command execution.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

An attacker on the same network segment can achieve remote code execution as root on affected systems running rtsol(8) or rtsold(8). The issue enables arbitrary shell command execution through crafted IPv6 RA messages. The attack is limited to the local link and cannot cross network boundaries, but successful exploitation fully compromises the affected host with root privileges.

Mitigation

If you can’t patch tonight, do this now.

No complete workaround is available according to the advisory. Reduce exposure by disabling IPv6 where not needed and ensuring interfaces do not have the ACCEPT_RTADV option enabled unless router advertisement processing is explicitly required. More generally, prevent untrusted hosts on the local segment from sending rogue IPv6 router advertisements through network access controls or RA filtering/guard features where available.

Remediation

Patch, then assume compromise.

Upgrade FreeBSD to a supported stable or release/security branch dated after 2025-12-16, or apply the vendor-provided binary or source patches referenced in FreeBSD Security Advisory freebsd-sa-25:12.rtsold. After patching, restart the affected daemons or reboot the system to ensure the fixed code is in use.
PUBLIC EXPLOITS

Exploits

4 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 4 / 5 TOTALView more in app
Blackash-CVE-2025-14558MaturityPoCVerified exploit

Repository contains a single Python proof-of-concept exploit script and a README. - Files: - CVE-2025-14558.py: Python/Scapy PoC that crafts and sends malicious IPv6 ICMPv6 Router Advertisement packets. - README.md: High-level vulnerability description, impact, and example commands (including reverse shell examples). Exploit purpose/capability: - The script targets an alleged FreeBSD command-injection vulnerability (CVE-2025-14558) in IPv6 RA processing, specifically via the ICMPv6 ND DNSSL (Domain Search List) option. - It embeds an attacker-supplied shell command into a DNSSL searchlist entry using a classic shell-injection pattern: "evil.com; <command> #". - It then sends the RA to the IPv6 all-nodes multicast address (ff02::1), aiming to have any vulnerable host on the local link process it. If the target’s rtsold processes the DNSSL and passes it unsafely to resolvconf, the injected command executes as root. Operational notes from code: - Requires Scapy and raw packet privileges (run as root). - User supplies interface (--iface), command (--command), optional advertised prefix (--prefix, default 2001:db8::), and can loop continuously (--loop) or send 10 packets. - No built-in target selection beyond local-link multicast; it is a broadcast-style local network attack. Overall, this is an operational PoC for local-network RCE via malicious IPv6 Router Advertisements, with the payload fully controlled by the operator through the --command argument.

rockmelodiesDisclosed Dec 23, 2025pythonmarkdownnetwork (local-link IPv6 ICMPv6 Router Advertisement / ND DNSSL option command injection)
Ashwesker-CVE-2025-14558MaturityPoCVerified exploit

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-14558, a critical remote code execution vulnerability in FreeBSD's rtsold daemon. The exploit is implemented in a single Python script (CVE-2025-14558.py) that uses the Scapy library to craft and send malicious IPv6 Router Advertisement (RA) packets with a specially crafted Domain Search List (DNSSL) option. The DNSSL option is manipulated to inject arbitrary shell commands, which are then executed as root on vulnerable FreeBSD systems running rtsold. The script requires root privileges and allows the attacker to specify the network interface, the command to inject, and optionally the IPv6 prefix and whether to loop sending packets. The README.md provides detailed background, technical explanation, and usage instructions. The attack is network-based and requires the attacker to be on the same local network segment as the target. The exploit demonstrates the ability to create files or establish a reverse shell on the target. No detection or scanning functionality is present; this is a direct exploitation PoC.

AshweskerDisclosed Dec 23, 2025pythonnetwork
Blackash-CVE-2025-14558MaturityPoCVerified exploit

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-14558, a critical remote code execution vulnerability in FreeBSD's rtsold daemon. The exploit is implemented in a single Python script (CVE-2025-14558.py) that uses the Scapy library to craft and send malicious IPv6 Router Advertisement (RA) packets with a specially crafted Domain Search List (DNSSL) option. The DNSSL option is manipulated to inject arbitrary shell commands, which are then executed as root on vulnerable FreeBSD systems running rtsold. The script requires root privileges and allows the attacker to specify the network interface, the command to inject, and optionally the IPv6 prefix and whether to loop sending packets. The README.md provides detailed background, technical explanation, and usage instructions. The attack is network-based and requires the attacker to be on the same local network segment as the target. The exploit demonstrates the ability to create files or establish a reverse shell on the target. No detection or scanning functionality is present; this is a direct exploitation PoC.

AshweskerDisclosed Dec 23, 2025pythonnetwork
CVE-2025-14558MaturityPoCVerified exploit

This repository contains a working exploit for CVE-2025-14558, a command injection vulnerability in FreeBSD's rtsold/rtsol daemons. The exploit leverages the DNSSL option in IPv6 Router Advertisements to inject arbitrary shell commands, which are executed by the target's resolvconf(8) script due to improper input sanitization. The exploit is implemented in Python (exploit.py) and uses the Scapy library to craft and send malicious RA packets on the local network. The README.md provides a detailed overview, usage instructions, and references. The exploit supports custom payloads, including file creation, arbitrary command execution, and reverse shells. The main entry point is exploit.py, which takes network interface and payload parameters. The attack vector is network-based, requiring the attacker to be on the same Layer 2 segment as the target. The exploit is operational and demonstrates real-world impact, but is not part of a larger framework.

JohannesLksDisclosed Dec 20, 2025pythonmarkdownnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
FreebsdFreebsdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.