FreeBSD rtsol/rtsold DNSSL Router Advertisement Command Injection
CVE-2025-14558 is a remote command injection vulnerability in FreeBSD's rtsol(8) and rtsold(8). The programs do not validate the Domain Name Search List (DNSSL) option received in IPv6 Router Advertisement (RA) messages and pass the option body unmodified to resolvconf(8). Because resolvconf(8) is implemented as a shell script and does not properly validate or quote its input, attacker-controlled shell metacharacters embedded in the DNSSL data can be interpreted as commands. As a result, a malicious RA sent on the local IPv6 network segment can trigger arbitrary shell command execution.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
4 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Repository contains a single Python proof-of-concept exploit script and a README. - Files: - CVE-2025-14558.py: Python/Scapy PoC that crafts and sends malicious IPv6 ICMPv6 Router Advertisement packets. - README.md: High-level vulnerability description, impact, and example commands (including reverse shell examples). Exploit purpose/capability: - The script targets an alleged FreeBSD command-injection vulnerability (CVE-2025-14558) in IPv6 RA processing, specifically via the ICMPv6 ND DNSSL (Domain Search List) option. - It embeds an attacker-supplied shell command into a DNSSL searchlist entry using a classic shell-injection pattern: "evil.com; <command> #". - It then sends the RA to the IPv6 all-nodes multicast address (ff02::1), aiming to have any vulnerable host on the local link process it. If the target’s rtsold processes the DNSSL and passes it unsafely to resolvconf, the injected command executes as root. Operational notes from code: - Requires Scapy and raw packet privileges (run as root). - User supplies interface (--iface), command (--command), optional advertised prefix (--prefix, default 2001:db8::), and can loop continuously (--loop) or send 10 packets. - No built-in target selection beyond local-link multicast; it is a broadcast-style local network attack. Overall, this is an operational PoC for local-network RCE via malicious IPv6 Router Advertisements, with the payload fully controlled by the operator through the --command argument.
This repository contains a proof-of-concept (PoC) exploit for CVE-2025-14558, a critical remote code execution vulnerability in FreeBSD's rtsold daemon. The exploit is implemented in a single Python script (CVE-2025-14558.py) that uses the Scapy library to craft and send malicious IPv6 Router Advertisement (RA) packets with a specially crafted Domain Search List (DNSSL) option. The DNSSL option is manipulated to inject arbitrary shell commands, which are then executed as root on vulnerable FreeBSD systems running rtsold. The script requires root privileges and allows the attacker to specify the network interface, the command to inject, and optionally the IPv6 prefix and whether to loop sending packets. The README.md provides detailed background, technical explanation, and usage instructions. The attack is network-based and requires the attacker to be on the same local network segment as the target. The exploit demonstrates the ability to create files or establish a reverse shell on the target. No detection or scanning functionality is present; this is a direct exploitation PoC.
This repository contains a proof-of-concept (PoC) exploit for CVE-2025-14558, a critical remote code execution vulnerability in FreeBSD's rtsold daemon. The exploit is implemented in a single Python script (CVE-2025-14558.py) that uses the Scapy library to craft and send malicious IPv6 Router Advertisement (RA) packets with a specially crafted Domain Search List (DNSSL) option. The DNSSL option is manipulated to inject arbitrary shell commands, which are then executed as root on vulnerable FreeBSD systems running rtsold. The script requires root privileges and allows the attacker to specify the network interface, the command to inject, and optionally the IPv6 prefix and whether to loop sending packets. The README.md provides detailed background, technical explanation, and usage instructions. The attack is network-based and requires the attacker to be on the same local network segment as the target. The exploit demonstrates the ability to create files or establish a reverse shell on the target. No detection or scanning functionality is present; this is a direct exploitation PoC.
This repository contains a working exploit for CVE-2025-14558, a command injection vulnerability in FreeBSD's rtsold/rtsol daemons. The exploit leverages the DNSSL option in IPv6 Router Advertisements to inject arbitrary shell commands, which are executed by the target's resolvconf(8) script due to improper input sanitization. The exploit is implemented in Python (exploit.py) and uses the Scapy library to craft and send malicious RA packets on the local network. The README.md provides a detailed overview, usage instructions, and references. The exploit supports custom payloads, including file creation, arbitrary command execution, and reverse shells. The main entry point is exploit.py, which takes network interface and payload parameters. The attack vector is network-based, requiring the attacker to be on the same Layer 2 segment as the target. The exploit is operational and demonstrates real-world impact, but is not part of a larger framework.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.