A critical vulnerability in FreeBSD's IPv6 auto-configuration feature (CVE-2025-14558) scores 9.8/10 and allows attackers on the same network to execute arbitrary commands with a single malicious packet.
A critical vulnerability in FreeBSD's IPv6 implementation has become significantly more dangerous as multiple proof-of-concept exploits surfaced in recent weeks. The flaw, tracked as CVE-2025-14558 and carrying a severity score of 9.8, affects the rtsold daemon responsible for IPv6 router solicitation and lets attackers execute arbitrary code on vulnerable systems using nothing more than a crafted network packet.
FreeBSD disclosed the vulnerability and released patches on December 16, 2024, but the threat escalated when researchers published working exploit code approximately two weeks ago. Multiple PoC exploits now circulate on GitHub, with security researchers demonstrating automated exploitation techniques. This makes patching an immediate priority for any organization running FreeBSD servers that still haven't applied the December security update.
Trevor Thompson
The vulnerability stems from command injection weaknesses in how FreeBSD handles IPv6 auto-configuration. Attackers on the same network segment can send a specially crafted Router Advertisement packet containing malicious characters that get passed directly to system commands without proper sanitization. What makes this particularly dangerous is the "misplaced trust" between system components—the rtsold daemon assumes data from the network is safe to pass to shell commands, creating a direct path from network packet to root-level code execution.
FreeBSD's IPv6 auto-configuration feature uses the rtsold daemon to discover network routers and configure network settings automatically. This daemon processes Router Advertisement messages from routers on the local network segment.
The vulnerability exists in how rtsold handles data from these Router Advertisement packets. When processing certain fields—specifically DNS search domains and other configuration parameters—the daemon passes this data to system commands without proper input validation or sanitization.
An attacker on the same network can send a Router Advertisement packet with specially crafted characters (like backticks, semicolons, or command substitution syntax) embedded in configuration fields. When rtsold processes this packet, it executes the attacker's commands with the privileges of the rtsold process.
FreeBSD released security advisory FreeBSD-SA-25:12.rtsold.asc on January 7, 2025, confirming the vulnerability and providing patches. A researcher known as "Ashwesker" published proof-of-concept exploit code on GitHub shortly after disclosure, demonstrating automated exploitation.
The attack requires the attacker to be on the same network segment as the target system, but no authentication is needed. Once exploited, attackers gain the ability to execute arbitrary commands on the vulnerable FreeBSD system.
You may be affected if:
The vulnerability affects FreeBSD systems across multiple versions. Any FreeBSD installation with IPv6 functionality enabled and the rtsold daemon running is potentially vulnerable. This includes servers, network appliances, and embedded systems built on FreeBSD.
The attack is limited to the local network segment, meaning attackers need either physical network access or prior compromise of a system on the same network. However, once on the network, exploitation requires no special privileges or authentication.
This represents one of the more severe FreeBSD vulnerabilities in recent years due to its 9.8 CVSS score and the availability of public exploit code. While FreeBSD is known for stability and security, command injection vulnerabilities like this demonstrate that even mature operating systems require constant vigilance.
IMMEDIATE ACTION:
Apply the security patches released in FreeBSD advisory FreeBSD-SA-25:12.rtsold.asc immediately. Navigate to FreeBSD's security advisories page, download the appropriate patch for your version, and follow the installation instructions. Reboot affected systems to ensure the patched daemon is running.
SHORT-TERM PROTECTION:
If you can't patch immediately, disable the rtsold daemon on affected systems as a temporary workaround. Run service rtsold stop and sysrc rtsold_enable="NO" to prevent the daemon from starting. This will disable IPv6 auto-configuration but protects against exploitation. Alternatively, implement strict network segmentation to limit who can send Router Advertisement packets to your FreeBSD systems.
LONG-TERM PREVENTION:
Subscribe to FreeBSD security announcement mailing lists to receive immediate notification of future vulnerabilities. Implement a patch management process that prioritizes critical security updates. Consider network monitoring to detect unusual Router Advertisement traffic, which could indicate exploitation attempts. Review your IPv6 deployment strategy and disable IPv6 on systems that don't require it.
For IT Professionals:
Monitor for indicators of compromise by checking system logs for unexpected command executions or process spawning from the rtsold daemon. Review network traffic for malformed Router Advertisement packets. Audit systems for unauthorized changes that may have occurred if exploitation already happened. Implement network access controls that restrict which systems can send Router Advertisements on your networks.
Command injection vulnerabilities remain a persistent threat in 2025, even in mature operating systems with decades of development history. This FreeBSD flaw demonstrates how trust relationships between system components can create security gaps when one component fails to validate external input.
The 9.8 severity score places this among the most critical vulnerabilities FreeBSD has faced. The combination of no authentication required, network-based exploitation, and arbitrary code execution makes this a priority target for attackers. Public exploit availability means even unsophisticated attackers can leverage this vulnerability.
FreeBSD powers critical infrastructure, network appliances, and security devices worldwide. Many organizations use FreeBSD specifically for its reputation for stability and security, which means vulnerable systems may receive less frequent security scrutiny than systems perceived as higher risk. This creates a potential blind spot where critical systems remain unpatched longer than they should.
The local network requirement limits some attack scenarios, but attackers who've compromised any device on a network—including through phishing, malware, or physical access—can use this vulnerability to pivot to FreeBSD systems. In data center environments where network segmentation may be weak, a single compromised system could enable widespread exploitation.
