-01.png?width=926&height=181&name=Netgate%20Logo%20PMS%20(horizontal)-01.png "Netgate Main Logo")
%201.png?width=302&name=Netgate%20Logo%20PMS%20(horizontal)%201.png "NetgateColorLogoRegisteredRGB.png")
Problem
On December 16, 2025, FreeBSD® published a security advisory for a remote command execution vulnerability in rtsold. The advisory can be found here:
https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc
Discussion
While remote command execution vulnerabilities are concerning, exploitation of this particular vulnerability would be difficult. The vulnerability requires an attacker to be on the same network as a pfSense® software installation interface configured to obtain an IPv6 address using DHCPv6 (e.g. WAN) and the attacker must also be able to send multicast messages to that pfSense software installation interface.
In this case, an attacker can send a correctly timed IPv6 router advertisement message containing a DNS search list (DNSSL) entry with a malicious payload, and the contents could be executed as shell commands on the pfSense software installation. Exploitation of this vulnerability would require very precise timing, as the vulnerability window is very short.
This vulnerability is possible due to a lack of validation for DNS search list data. The rtsold daemon executes a script to update the system DNS configuration when it receives an IPv6 router advertisement message containing RDNSS (Recursive DNS servers) or DNSSL (DNS search list) content. The rtsold daemon does not validate the content of DNSSL data when passing it directly to a shell script, /sbin/resolvconf, which also does not validate the data before use.
While pfSense software does not rely on /sbin/resolvconf to manage resolv.conf, and it configures that script to not write any files, the script still gets executed and processes the problematic data, and thus is still a valid vulnerability.
pfSense software runs rtsold with the -1 parameter which causes it to terminate after the first response it receives. Therefore, the rtsold daemon is only active for a brief window during interface configuration. This limits exposure, as the first response is typically the router on the segment. However, this also creates an opportunity where the attacker could still trigger the bug if they respond first, or if the attacker is the only responder.
Solution
Since pfSense software does not rely on /sbin/resolvconf, the workaround for this problem is a patch linked in Redmine issue #16593, which will pass -R /usr/bin/true to rtsold which prevents it from executing the problematic script. With that change in place, the malicious data would have no effect. FreeBSD has added validation to rtsold which will address the problem at a lower level in future releases of pfSense software.
To mitigate this issue now:
- Users without IPv6 connectivity
Simply ensure that no interfaces are configured to use DHCPv6. - Users with IPv6 connectivity requiring DHCPv6
Apply the attached patch found in Redmine issue #16593, or the corresponding recommended patch in the System Patches package. An updated System Patches package is published for pfSense Plus 25.11, pfSense Plus 25.07.1, and pfSense CE 2.8.1.
The attached patch on Redmine issue #16593 applies on pfSense Plus software versions 23.05 and newer, as well as pfSense CE software versions 2.7.0 and newer. Older installations should upgrade to a supported release or make similar source changes manually.