The vulnerability resides in the FreeBSD dhclient utility, where the BOOTP file field is written to the lease file without escaping embedded double‑quotes. A rogue DHCP server can embed crafted option strings that, when the lease file is later re‑parsed by dhclient, are evaluated by dhclient‑script(8), allowing the attacker to inject arbitrary directives and execute shell commands as root. The flaw therefore permits remote code execution with system‑level privileges.

Product: FreeBSD dhclient. The advisory references FreeBSD:FreeBSD without specifying a particular release version; therefore all installations of dhclient on FreeBSD that include the unfiltered BOOTP handling are potentially affected. System administrators should verify their current dhclient version and apply any security updates provided by the FreeBSD project.

Although the EPSS score is low at < 1%, the nature of the flaw—remote injection of dhclient.conf directives leading to arbitrary command execution as root—implies a high likelihood of exploitation in environments where an attacker can control a DHCP server. The CVSS score of 8.1 indicates high severity. The vulnerability is not yet listed in the CISA KEV catalog, but the lack of a mitigated environment makes it a top‑priority issue that requires immediate attention.