Published: in News
OPNsense 25.7.10 Update Addresses IPv6 Router Advertisement Issue (CVE-2025-14558)
OPNsense version 25.7.10 has been released, primarily to address a FreeBSD vulnerability affecting IPv6 router advertisement handling. Systems using IPv6 auto-configuration or DHCPv6 should update as soon as practical.
If you prefer a walkthrough, the video below explains the issue and the update in more detail. A full written summary and guidance are provided in this article.
What is the vulnerability?
The issue originates from a FreeBSD security advisory affecting the rtsold daemon, which listens for IPv6 Router Advertisement (RA) messages used to automatically configure IPv6 networking.
Under certain conditions, a specially crafted RA message could result in unintended command execution. This is due to improper handling of DNS search list (DNSSL) options passed through the configuration process.
This vulnerability is tracked as CVE-2025-14558 (FreeBSD-SA-25:12).
How does this affect OPNsense?
OPNsense uses rtsold when IPv6 auto-configuration is enabled on interfaces such as the WAN.
Important limitations apply:
-
Router Advertisement packets are link-local and do not travel across the internet.
-
An attacker would need to be on the same local network segment as the affected interface.
-
Systems not using IPv6, or not accepting router advertisements, are not affected.
Despite the limited exposure, OPNsense released 25.7.10 promptly to ensure the underlying FreeBSD fix is applied.
What has been fixed in OPNsense 25.7.10?
Version 25.7.10 includes the upstream FreeBSD fix that properly sanitises the DNS search list values received via router advertisements. This removes the execution path that could be abused by malformed packets and closes the vulnerability.
Users who:
-
Do not use IPv6, or
-
Use IPv6 but do not accept router advertisements
are not impacted by this issue.
Additional security note: Python DoS issue (CVE-2025-6075)
The release notes also reference a Python vulnerability related to potential denial-of-service behaviour when processing specially crafted input in certain functions, including os.path.expandvars.
This issue can result in excessive CPU usage due to inefficient processing of nested or repeated variable patterns. It does not allow code execution or data exposure, and is rated as low severity.
At the time of release, no updated Python 3.11 package was available upstream, but administrators should remain aware of the issue in environments where Python is exposed to untrusted input.
Other notable improvements in 25.7.10
Beyond the security fixes, this update includes a wide range of system and service improvements.
Captive portal improvements
Captive portal accounting has returned to IPFW, which performs better than PF in larger deployments and restores compatibility with certain configurations, including portals running over WireGuard. Legacy PF hooks are expected to be fully removed in OPNsense 26.1.
Intrusion detection (Suricata) clean-up
The Suricata integration has received significant maintenance updates:
-
Refactored query scripts
-
Deprecation of older configuration paths
-
Improved configuration management via
conf.d -
Simplified user control
These changes improve maintainability and future upgrade paths.
DHCP relay and high-availability improvements
DHCP relay now tracks CARP VHIDs, ensuring correct behaviour during failover in high-availability environments.
Firewall live log enhancements
Quality-of-life improvements include:
-
Customisable columns
-
Combined hostname display
-
Larger table size options
-
Faster refresh behaviour
These changes make real-time troubleshooting more practical.
System and framework clean-ups
Numerous internal improvements reduce technical debt, including:
-
Normalised sample configuration files
-
Updated gateway device handling
-
Removal of legacy execution methods
-
Improved XML processing
-
Framework helper updates
While not user-visible features, these changes improve overall reliability.
DNS and Unbound updates
Unbound has removed support for unstable third-party blocklists and improved internal handling of blocklist updates and metadata.
OpenVPN updates
Updates include:
-
Restored AES-256-CBC support for legacy compatibility
-
Improved certificate verification handling
-
Removal of deprecated execution paths
Plugin, driver and kernel updates
Several plugins and network drivers have been updated, particularly improving stability and behaviour on Intel network adapters. Netmap, PF, synchronisation handling, and tunnel interface definitions also received fixes.
FreeBSD ports updates
Routine maintenance and security updates were applied to several system components, including dpinger, libucl, NSS, PHP and related libraries.
Should you update?
If you use IPv6 on your WAN or any interface that accepts router advertisements, updating to OPNsense 25.7.10 is strongly recommended.
Although the vulnerability requires local network access and cannot be exploited remotely over the internet, it is still a remotely triggerable condition within the local segment and should be addressed.
Even if you do not use IPv6, this release includes meaningful improvements across the firewall, captive portal, intrusion detection, and core system stability, making the update worthwhile.
Summary
-
CVE-2025-14558 affects IPv6 router advertisement handling in FreeBSD
-
OPNsense 25.7.10 includes the upstream fix
-
Only systems using IPv6 auto-configuration or RA acceptance are affected
-
Exposure is limited to the local network but still warrants patching
-
The release also delivers broad stability and service improvements
Keeping firewall systems up to date remains essential, particularly when network-level vulnerabilities are disclosed.