module

FreeBSD rtsold/rtsol DNSSL Command Injection

Disclosed	Created
Dec 16, 2025	Feb 13, 2026

Disclosed

Dec 16, 2025

Created

Feb 13, 2026

Description

This module exploits a command injection vulnerability (CVE-2025-14558)
in FreeBSD's rtsol(8) and rtsold(8) programs. These programs do not
validate the domain search list options provided in IPv6 Router
Advertisement messages; the option body is passed to resolvconf(8)
unmodified. resolvconf(8) is a shell script which does not validate
its input. A lack of quoting means that shell commands passed as input
to resolvconf(8) may be executed, enabling command injection via $()
substitution in the DNSSL domain name fields.

This exploit requires Layer 2 adjacency to the target (same network
segment) and root privileges to send raw packets. Router advertisement
messages are not routable and should be dropped by routers, so the
attack does not cross network boundaries.

Authors

Lukas Johannes Möller
Kevin Day

Platform

Unix

Architectures

cmd

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/freebsd/misc/rtsold_dnssl_cmdinject
    msf exploit(rtsold_dnssl_cmdinject) > show targets
        ...targets...
    msf exploit(rtsold_dnssl_cmdinject) > set TARGET < target-id >
    msf exploit(rtsold_dnssl_cmdinject) > show options
        ...show and set options...
    msf exploit(rtsold_dnssl_cmdinject) > exploit

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report