Skip to content

Add Module and Documentation for CVE-2025-14558 #20798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JohannesLks wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add Module and Documentation for CVE-2025-14558 #20798

JohannesLks wants to merge 5 commits into from
+349 −0

Conversation

@JohannesLks
Copy link
Contributor

@JohannesLks JohannesLks commented Dec 21, 2025
edited
Loading

New Module: FreeBSD rtsold/rtsol DNSSL Command Injection (CVE-2025-14558)

Fixes #20789

This PR adds a new exploit module for CVE-2025-14558, a command injection vulnerability in FreeBSD's rtsol(8) and rtsold(8) daemons. The vulnerability arises from improper validation of the Domain Name Search List (DNSSL) option in IPv6 Router Advertisement (RA) messages, which are passed to the resolvconf(8) script without sanitization. An attacker on the local network can execute arbitrary commands as root by injecting shell metacharacters into the DNSSL domain field.

Verification

  • Start msfconsole
  • use exploit/freebsd/misc/rtsold_dnssl_cmdinject
  • set INTERFACE <your_interface> (e.g., eth0)
  • set CMD touch /tmp/pwned
  • exploit
  • Verify that Router Advertisement(s) sent successfully is displayed.
  • Verify on the target machine (if available) that /tmp/pwned exists.

Demo / Proof of Concept

This module requires a FreeBSD target system (versions 13.x, 14.x, or 15.0 prior to 2025-12-16 patches) running rtsold with the -s flag.

@JohannesLks JohannesLks marked this pull request as draft December 21, 2025 22:13
@JohannesLks JohannesLks changed the title Draft: Add Module and Documentation for CVE-2025-14558 Add Module and Documentation for CVE-2025-14558 Dec 21, 2025
@JohannesLks JohannesLks marked this pull request as ready for review December 21, 2025 22:28
bcoles
bcoles reviewed Dec 22, 2025
View reviewed changes
@JohannesLks JohannesLks requested a review from bcoles December 23, 2025 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bcoles bcoles Awaiting requested review from bcoles

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remote command injection in FreeBSD via IPv6 processing

2 participants

@JohannesLks @bcoles