FreeBSD DHCP Client Flaw Allows Remote Code Execution as Root

The FreeBSD Project has issued a critical security advisory for a severe vulnerability in its default IPv4 DHCP client, tracked as CVE-2026-42511.

The flaw allows attackers on the same local network to execute arbitrary code with root privileges, effectively granting full control over affected systems.

The issue was discovered by Joshua Rogers of the AISLE Research Team and impacts all currently supported FreeBSD versions.

Vulnerability Details

The root cause lies in how the dhclient(8) utility processes network configuration data received from DHCP servers.

When a system connects to a network, it requests IP configuration details, including optional parameters such as the BOOTP file field. This data is then stored in a local DHCP lease file.

However, the vulnerability arises due to improper handling of embedded double quotes in this field.

The DHCP client fails to sanitize or escape these characters correctly, allowing malicious input to be injected into configuration files like dhclient.conf.

This creates an opportunity for attackers to insert arbitrary directives into the system’s network configuration.

Exploitation occurs when the compromised lease file is reprocessed, such as during a system reboot or network service restart.

At this stage, the malicious entries are passed to dhclient-script(8), which executes them with root privileges.

To carry out the attack, the threat actor must operate within the same broadcast domain as the target.

By setting up a rogue DHCP server, the attacker can intercept DHCP requests and respond with specially crafted packets containing the malicious payload.

Once executed, the attacker gains complete system control. This access can be used to establish persistence, deploy ransomware, or move laterally within a corporate environment.

From a threat intelligence standpoint, this vulnerability aligns with several MITRE ATT&CK techniques:

• T1557: Adversary-in-the-Middle, where attackers manipulate network traffic via rogue DHCP responses.
• T1059: Command and Scripting Interpreter, as injected commands are executed through system scripts with elevated privileges.

This combination makes the flaw particularly dangerous in enterprise environments where network trust boundaries are often assumed.

The vulnerability affects all supported FreeBSD branches, including:

• FreeBSD 15.0: 15.0-RELEASE and 15.0-STABLE
• FreeBSD 14.x: 14.4-RELEASE, 14.3-RELEASE, and 14.4-STABLE
• FreeBSD 13.5: 13.5-RELEASE and 13.5-STABLE

Any system relying on dhclient(8) is considered vulnerable.

The FreeBSD Project has released patches addressing this issue. Administrators are strongly advised to update their systems immediately.

Recommended update methods include:

• Base package systems (FreeBSD 15.0):
  Run: pkg upgrade -r FreeBSD-base
• Binary update method (other versions):
  Run: freebsd-update fetch
  Then: freebsd-update install

There is currently no direct workaround for systems that must use dhclient. However, network-level defenses can significantly reduce risk.

Organizations can mitigate exploitation by implementing DHCP snooping on managed switches.

This feature filters DHCP traffic and ensures only trusted servers can respond to client requests, effectively blocking rogue DHCP servers from delivering malicious payloads.

Systems that do not use dhclient(8) are not affected by this vulnerability.

In a corporate office network, an attacker connects a rogue device acting as a DHCP server. When a FreeBSD workstation joins the network, it receives malicious configuration data.

Upon reboot, the system executes injected commands, allowing the attacker to install a backdoor and access sensitive internal systems without detection.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post FreeBSD DHCP Client Flaw Allows Remote Code Execution as Root appeared first on Cyber Security News.