Skip to main content

Published: in News

pfSense Affected by IPv6 RA Bug (CVE-2025-14558): What to Do

By Sam Sheridan - 14th January, 2026

A recently disclosed FreeBSD vulnerability affects the rtsold service used by pfSense when configuring IPv6 connections. While exploitation is difficult and limited in scope, users who rely on IPv6 should apply the recommended mitigation.

This article explains what the issue is, how pfSense is affected, and what action you should take.

A video explanation of this issue and the recommended mitigation is provided below, followed by a written summary and instructions in this article.

What is the vulnerability?

FreeBSD has published an advisory for a remote command execution vulnerability in rtsold, the daemon responsible for processing IPv6 Router Advertisement (RA) messages. These messages are used to automatically configure IPv6 network settings.

The flaw relates to how rtsold handles the DNSSL (DNS Search List) option in RA packets. This data is passed to /sbin/resolvconf, a shell script used to update DNS settings. Because the DNSSL input is not properly validated, specially crafted values could be interpreted as shell commands.

In simple terms, a malicious IPv6 router advertisement could cause unintended commands to be executed.

This issue is tracked as CVE-2025-14558 (FreeBSD-SA-25:12).

How is pfSense affected?

pfSense is affected, but with important limitations.

To exploit this vulnerability:

  • An attacker must be on the same local network segment as the affected pfSense interface.

  • That interface must be using DHCPv6 or IPv6 auto-configuration (SLAAC).

  • The attacker must be able to send IPv6 multicast router advertisement packets.

This rules out typical internet-based attacks. In addition, pfSense runs rtsold with a flag that causes it to exit after receiving the first router advertisement, which significantly limits the exposure window. In most cases, the first response comes from the ISP’s router.

However, if an attacker were able to send a spoofed router advertisement before the legitimate one arrives, or if they were the only device responding, the vulnerability could still be triggered.

Why does this still matter?

pfSense does not rely on /sbin/resolvconf to manage DNS configuration, and the script is configured not to write system files. However, the script is still executed when triggered by rtsold.

This means the unsafe execution path still exists, even if pfSense does not use the result. For that reason, the vulnerability is considered valid and should be mitigated.

Netgate’s recommended mitigation

Netgate has provided a workaround patch that instructs rtsold to completely bypass /sbin/resolvconf by replacing it with /usr/bin/true. This prevents any script execution, even if a malicious DNSSL value is received.

The patch is available through the System Patches package for:

  • pfSense Plus 23.05 and newer

  • pfSense CE 2.7.0 and newer

If you are running an older version, you should upgrade to a supported release.

This workaround fully mitigates the issue until FreeBSD’s upstream fix is included in a future pfSense release.

What action should you take?

If you do not use IPv6

You are not affected, provided that no interfaces are configured for:

  • DHCPv6, or

  • IPv6 auto-configuration (SLAAC)

No further action is required.

If you use IPv6

You should apply the recommended patch using the System Patches package.

How to apply the patch automatically

This is the recommended method.

  1. Go to System → Package Manager → Available Packages

  2. Search for system_patches

  3. Install or update the package

Then:

  1. Go to System → Patches

  2. Click Apply all recommended patches

Once applied, the mitigation is in place.

How to apply the patch manually

Manual installation is only required if the recommended patch does not appear automatically.

  1. Open the Netgate Redmine link for the patch (linked below)

  2. Copy the patch URL

  3. In pfSense, go to System → Patches

  4. Click Add new patch

  5. Enter a description such as:
    FreeBSD CVE-2025-14558 Mitigation

  6. Paste the patch URL into the URL field

  7. Save, then click Fetch and apply

If the system reports that the patch was applied successfully, no further action is required.

Further information

Netgate has published additional details on:

  • The official Netgate blog

  • The Redmine patch tracker

Links to both resources are provided below.

Summary

  • CVE-2025-14558 is an IPv6 router advertisement handling issue in FreeBSD

  • pfSense is affected when using DHCPv6 or SLAAC

  • Exploitation is limited to the local network and is difficult

  • Netgate has provided an effective workaround via system patches

  • IPv6 users should apply the recommended patch

Keeping pfSense and installed packages up to date remains the best way to reduce exposure to newly discovered vulnerabilities.

Tags:

pfsense security CVE-2025-14558

Got Questions?

Find quick answers to common IT support questions

How quickly can you respond to IT issues?

While many companies claim a 15-minute response, we guarantee a one-hour response time for urgent issues. This realistic timeframe allows our expert team to mobilise properly and arrive fully prepared to diagnose and resolve the problem efficiently - ensuring quality support rather than a rushed service.

How long has Sheridan Computers been established?

We've proudly been established for over 15 years. Our enduring presence in the IT industry is a testament to our commitment to quality, innovation, and reliable service. We’re here for the long haul, continuously evolving to meet the needs of our customers today - and in the future.

IT Emergency?

24/7 emergency IT support available for existing clients

Call Emergency Support
Help & Support
Standard Support Hours

Monday - Friday 8:00 - 17:00
Saturday Closed
Sunday Closed
Client Access
Remote Support Tool Client Portal Login
Other Ways to Reach Us
Email Support
24/7 Emergency Support

Critical issues? Our emergency team is available 24/7 for existing clients.

Emergency Support Line