Cyber Posture

CVE-2025-56077

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
26 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0105 77.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-RAP2200(E) 247 2200 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by requiring validation of crafted POST request inputs to the vulnerable module_set function in nbr_cwmp.lua.

SI-2 Flaw Remediation good match
prevent

Ensures timely patching or remediation of the specific command injection flaw in the affected Lua script to prevent exploitation.

AC-6 Least Privilege partial match
prevent

Limits damage from successful command injection by enforcing least privilege for low-privilege (PR:L) users accessing the vulnerable endpoint.

Security SummaryAI

CVE-2025-56077 is an OS command injection vulnerability (CWE-78) affecting Ruijie RG-RAP2200(E) 247 2200 access points. The flaw resides in the module_set function within the file /usr/local/lua/dev_sta/nbr_cwmp.lua, where attackers can inject and execute arbitrary operating system commands through a specially crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for complete compromise of confidentiality, integrity, and availability.

An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely over the network without user interaction. By sending a malicious POST request to the vulnerable endpoint, they gain the ability to execute arbitrary OS commands on the affected device, potentially leading to full system takeover, data exfiltration, persistent access, or further lateral movement within the network.

Advisories and detailed reports, including vulnerability analysis and potential mitigation guidance, are available in the referenced sources: https://1drv.ms/f/c/12406a392c92914b/EvnzTspA23NAl-T9w70dG4MBnWWojsrzAeM1i-ed2EauAA?e=AYOxPM, https://1drv.ms/t/c/12406a392c92914b/EURTWAoIJNRMtvzNPi08CToB780nsKPNHZ2Fdmcf9xsoRA?e=jHygdj, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56077.md. Security practitioners should consult these for patch information, workarounds, or configuration changes to address the issue.

Details

CWE(s)
CWE-78

Affected Products

ruijienetworks
reyee os
2.280.0
ruijie
rg-rap2200\(e\) firmware
3.0\(1\)b11p247

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

CVE enables exploitation of public-facing web application (T1190) for OS command injection (T1059.004 Unix Shell) with low privileges, facilitating privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References