The flaw resides in the Wi‑Fi network scanning routine of FreeBSD’s installation utilities—bsdinstall and bsdconfig. When prompted to scan for nearby networks, network names are assembled into a shell command that is executed directly by the system shell. A malicious access point can broadcast a specially crafted SSID that contains shell metacharacters, causing the shell to expand and execute arbitrary commands. Because the utilities run with root privileges, the attacker gains unrestricted control over the target system.

All FreeBSD installations that utilize bsdinstall or bsdconfig for network configuration are affected. The vulnerability exists until an updated build from the FreeBSD security team incorporates the fix described in the official advisory. No specific version ranges are listed in the advisory, so users should assume all releases prior to the patch are vulnerable.

The vulnerability permits an attacker to run any command as root simply by broadcasting a malicious SSID within range of the target’s Wi‑Fi interface. The system does not need to be connected to the rogue network; it is sufficient that the SSID is detected during a scan. The CVSS score of 7.5 classifies this as a high‑severity vulnerability, and the EPSS score of <1% suggests exploitation is unlikely at present, but the ease of the attack vector and the ability to exploit without user interaction make it a serious risk. The flaw is not currently listed in CISA’s KEV catalog. The weakness is an instance of CWE‑78, OS command injection that does not require additional user interaction beyond initiating a Wi‑Fi scan.