CVE-2025-14558 Overview
CVE-2025-14558 is a command injection vulnerability affecting FreeBSD's rtsol(8) and rtsold(8) programs. These programs fail to validate domain search list options provided in router advertisement messages, passing the option body to resolvconf(8) without modification. Since resolvconf(8) is implemented as a shell script that does not validate its input, improper quoting allows shell commands passed as input to be executed with elevated privileges.
Critical Impact
An attacker with network access can inject arbitrary shell commands through malicious router advertisements, potentially achieving remote code execution on vulnerable FreeBSD systems running rtsold.
Affected Products
- FreeBSD systems running rtsold(8) or rtsol(8) for IPv6 router discovery
- Systems configured to accept IPv6 Router Advertisements
- Environments using resolvconf(8) for DNS configuration management
Discovery Timeline
- 2026-03-09 - CVE CVE-2025-14558 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2025-14558
Vulnerability Analysis
This vulnerability represents a classic command injection weakness stemming from improper input validation in a chain of system utilities. The rtsold(8) daemon, responsible for handling IPv6 Router Advertisement messages, processes DNSSL (Domain Name System Search List) options without sanitizing their contents. When these options contain shell metacharacters, they are passed verbatim to resolvconf(8), which operates as a shell script. The lack of proper quoting in resolvconf(8) allows embedded shell commands to be executed in the context of the daemon.
The vulnerability is exploitable over the network by an attacker who can send crafted Router Advertisement messages to a target system. This requires the attacker to be on the same network segment or able to spoof IPv6 Router Advertisement packets. Successful exploitation can lead to complete system compromise, including arbitrary code execution with root privileges.
Root Cause
The root cause is twofold: First, rtsold(8) does not validate or sanitize the DNSSL option data received from Router Advertisement messages before passing it to resolvconf(8). Second, resolvconf(8) is implemented as a shell script that fails to properly quote input parameters, creating an injection point where shell metacharacters in the DNSSL data are interpreted and executed.
Attack Vector
The attack is carried out by sending malicious IPv6 Router Advertisement messages containing specially crafted DNSSL options. An attacker positioned on the local network segment can craft Router Advertisement packets with shell metacharacters embedded in the domain search list field. When rtsold(8) receives these packets, it extracts the DNSSL option and passes it to resolvconf(8), which inadvertently executes the embedded commands due to insufficient input sanitization.
The vulnerability mechanism involves crafting Router Advertisement packets with DNSSL options containing shell command sequences. When processed by the vulnerable rtsold daemon, these commands are executed through the resolvconf(8) shell script. Technical exploitation details are available in the FreeBSD Security Advisory.
Detection Methods for CVE-2025-14558
Indicators of Compromise
- Unexpected process spawning from rtsold or resolvconf processes
- Unusual network activity following receipt of IPv6 Router Advertisement messages
- Modifications to DNS configuration files not initiated by administrators
- Log entries showing malformed domain names containing shell metacharacters
Detection Strategies
- Monitor for anomalous IPv6 Router Advertisement traffic with unusual DNSSL options
- Implement network-based intrusion detection rules for malformed RA packets
- Enable process auditing to detect unexpected child processes of rtsold
- Review system logs for resolvconf errors or unexpected command execution
Monitoring Recommendations
- Enable verbose logging for rtsold daemon to capture RA message details
- Implement network traffic analysis for IPv6 Router Advertisements with suspicious payloads
- Deploy endpoint detection to identify shell command execution from network daemon contexts
- Monitor /etc/resolv.conf and related DNS configuration files for unauthorized changes
How to Mitigate CVE-2025-14558
Immediate Actions Required
- Apply the security patch provided in FreeBSD Security Advisory FreeBSD-SA-25:12
- Consider temporarily disabling rtsold if IPv6 router discovery is not required
- Implement network-level filtering for untrusted Router Advertisement messages
- Enable Router Advertisement Guard (RA Guard) on network switches if available
Patch Information
FreeBSD has released a security advisory addressing this vulnerability. Administrators should apply the patches referenced in FreeBSD-SA-25:12.rtsold.asc. The fix involves proper input validation in both rtsold(8) and resolvconf(8) to prevent shell metacharacter interpretation. A Metasploit module exists for this vulnerability as documented in the Sploitus exploit listing, increasing the urgency for patching.
Workarounds
- Disable rtsold service if IPv6 autoconfiguration is not required: sysrc rtsold_enable="NO" and service rtsold stop
- Configure static IPv6 addressing to eliminate dependency on Router Advertisements
- Deploy RA Guard on network infrastructure to filter malicious Router Advertisement packets
- Implement strict network segmentation to limit attacker access to broadcast domains
# Disable rtsold service as a temporary workaround
sysrc rtsold_enable="NO"
service rtsold stop
# Verify service is disabled
service rtsold status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
