Main Vulnerability Database Vulnerabilities #VU120165

OS command injection in FreeBSD - CVE-2025-14558

Published: December 17, 2025 / Updated: February 13, 2026

Vulnerability identifier: #VU120165

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2025-14558

CWE-ID: CWE-78

Exploitation vector: Adjecent network

Exploit availability: The vulnerability is being exploited in the wild

Vendor: FreeBSD Foundation

Affected software:
FreeBSD

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the rtsold(8) and rtsol(8) scripts when processing the domain search list options provided in IPv6 router advertisement messages. A remote unauthenticated attacker in the same network segment can send specially crafted ND6 router advertisements and execute arbitrary OS commands on the system.

How to mitigate CVE-2025-14558

Install updates from vendor's website.

Sources

https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc

OS command injection in FreeBSD - CVE-2025-14558

Detailed vulnerability description

How to mitigate CVE-2025-14558

Sources

Please verify you're human