Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-14558 is a remote code execution vulnerability in FreeBSD's rtsol(8) and rtsold(8) programs, which handle IPv6 router advertisement packets as part of the Stateless Address Autoconfiguration (SLAAC) mechanism."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because these programs do not validate the domain search list options in router advertisement messages and pass them unmodified to resolvconf(8), a shell script that also lacks input validation.'}, {'type': 'paragraph', 'content': 'Due to missing input quoting, malicious shell commands embedded in these options can be executed remotely by an attacker on the same local network segment.'}, {'type': 'paragraph', 'content': 'The attack is limited to the local network since router advertisement messages are non-routable and typically dropped by routers.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker on the same local network segment to execute arbitrary shell commands on a vulnerable FreeBSD system remotely.

Successful exploitation could lead to unauthorized control over the affected system, potentially compromising system integrity, confidentiality, and availability.

Systems not using IPv6 or configured not to accept router advertisement messages are not affected.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the rtsol(8) and rtsold(8) programs processing IPv6 router advertisement messages with domain search list options that are not validated. Detection would involve monitoring for suspicious or malformed router advertisement messages containing unusual domain search list options that could include shell commands.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to router advertisement messages on the local network segment, you can inspect IPv6 router advertisements using packet capture tools such as tcpdump or Wireshark.'}, {'type': 'list_item', 'content': 'Use tcpdump to capture IPv6 router advertisement packets: tcpdump -i <interface> icmp6 and ip6[40] == 134'}, {'type': 'list_item', 'content': 'Analyze captured packets for suspicious domain search list options that might contain shell commands.'}, {'type': 'paragraph', 'content': "Additionally, check if your system's network interfaces have the ACCEPT_RTADV flag enabled in the nd6 option list, as systems without this flag are not affected."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

There is no workaround for this vulnerability. Immediate mitigation steps include:

• Upgrade FreeBSD to stable or release/security branches updated after December 16, 2025, which contain patches fixing this issue.
• Apply binary patches using freebsd-update(8) on supported platforms (amd64, arm64, i386 on FreeBSD 13).
• Alternatively, apply source code patches verified with PGP signatures, recompile the system, and restart affected services or reboot.
• If possible, disable acceptance of router advertisement messages by removing the ACCEPT_RTADV flag from network interface nd6 options to prevent the system from processing these messages.

Systems not using IPv6 or configured not to accept router advertisement messages are not affected.

Useful 0 Not Useful 0