module

FreeBSD rtsold/rtsol DNSSL Command Injection

Try Surface Command
Back to search
Disclosed
Dec 16, 2025
Created
Feb 13, 2026

Description

This module exploits a command injection vulnerability (CVE-2025-14558)
in FreeBSD's rtsol(8) and rtsold(8) programs. These programs do not
validate the domain search list options provided in IPv6 Router
Advertisement messages; the option body is passed to resolvconf(8)
unmodified. resolvconf(8) is a shell script which does not validate
its input. A lack of quoting means that shell commands passed as input
to resolvconf(8) may be executed, enabling command injection via $()
substitution in the DNSSL domain name fields.

This exploit requires Layer 2 adjacency to the target (same network
segment) and root privileges to send raw packets. Router advertisement
messages are not routable and should be dropped by routers, so the
attack does not cross network boundaries.

Authors

Lukas Johannes Möller
Kevin Day

Platform

Unix

Architectures

cmd

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/freebsd/misc/rtsold_dnssl_cmdinject
    msf exploit(rtsold_dnssl_cmdinject) > show targets
        ...targets...
    msf exploit(rtsold_dnssl_cmdinject) > set TARGET < target-id >
    msf exploit(rtsold_dnssl_cmdinject) > show options
        ...show and set options...
    msf exploit(rtsold_dnssl_cmdinject) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today