Cyber Posture

CVE-2025-56079

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
26 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0064 70.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1300G EW1300G V1.00/V2.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by validating and sanitizing crafted POST request inputs to the vulnerable module_get function in networkConnect.lua.

SI-2 Flaw Remediation good match
prevent

Addresses the specific flaw in the Lua script by identifying, reporting, and remediating vulnerabilities like CVE-2025-56079 through timely patching.

AC-6 Least Privilege partial match
prevent

Limits the impact of arbitrary command execution by authenticated low-privilege users through enforcement of least privilege on system resources.

Security SummaryAI

CVE-2025-56079 is an OS command injection vulnerability (CWE-78) affecting Ruijie RG-EW1300G routers in versions V1.00, V2.00, and V4.00. The flaw resides in the module_get function within the file /usr/local/lua/dev_sta/networkConnect.lua, where attackers can inject and execute arbitrary operating system commands through a specially crafted POST request. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending a malicious POST request to the affected endpoint, they gain the ability to execute arbitrary commands on the underlying operating system, potentially leading to full remote code execution. This results in high impacts on confidentiality, integrity, and availability, allowing compromise of the device.

Mitigation details and additional technical information are provided in the following advisories: https://1drv.ms/f/c/12406a392c92914b/EjGDN1e4xfZOhROI3hzjKr0Bb9TVCN03MAR_VK56P8V3Ug?e=NmUXvt, https://1drv.ms/t/c/12406a392c92914b/EZdYNxRd8ilMrCRXLnltUKEBiBXJzrTc9i7Y643cuho9PA?e=7Bifxw, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56079.md. Security practitioners should consult these resources for patch availability, workarounds, or configuration changes specific to the affected Ruijie devices.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-ew1300g firmware
all versions
ruijie
be50 firmware
ew_3.0\(1\)b11p258

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

OS command injection vulnerability in router web interface enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References