Home / Vulnerability Intelligence / CVE-2025-14558

CVE-2025-14558 - Vulnerability Analysis

HighCVSS: 7.2

Last Updated: March 9, 2026

rtsol & rtsold - Command Injection

Published: March 9, 2026Updated: March 9, 2026PoC AvailableRemote Exploitable

Overview

rtsol(8) and rtsold(8) do not validate domain search list options in router advertisement messages, passing unquoted input to resolvconf(8) shell script, letting remote attackers execute arbitrary shell commands, exploit requires crafted router advertisement messages.

Severity & Score

Severity: High

CVSS Score: 7.2

Impact

Attackers can execute arbitrary shell commands remotely, potentially leading to full system compromise.

Mitigation

Update to the latest version with input validation and proper quoting in resolvconf(8).

References

https://security.freebsd.org/advisories/FreeBSD-SA-25:12.rtsold.asc
https://sploitus.com/exploit?id=MSF:EXPLOIT-FREEBSD-MISC-RTSOLD_DNSSL_CMDINJECT-

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-14558
Severity: High
CVSS Score: 7.2
Type: command_injection
Status: unconfirmed

CWE

CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H