CVE-2025-56084

High

Published: 11 December 2025

Published

11 December 2025

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires identification, reporting, and correction of the specific flaw in /usr/local/lua/dev_sta/nbr_cwmp.lua, preventing exploitation of this OS command injection vulnerability through patching.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of POST request inputs to the module_set function, directly blocking crafted requests that enable arbitrary OS command execution.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege on low-privilege accounts, limiting the scope and impact of arbitrary commands injected via the vulnerable Lua script.

Security SummaryAI

CVE-2025-56084 is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1800GX PRO device, specifically firmware version B11P226_EW1800GX-PRO_10223117. The issue affects the module_set function in the file /usr/local/lua/dev_sta/nbr_cwmp.lua, where attackers can execute arbitrary operating system commands through a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited over the network by attackers with low privileges, such as authenticated users, requiring low complexity and no user interaction. Successful exploitation allows execution of arbitrary commands on the underlying operating system, enabling high-impact compromise of confidentiality, integrity, and availability.

Advisories and additional details on mitigation are documented in referenced sources, including https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi, https://1drv.ms/t/c/12406a392c92914b/EdfdfnvOxAhJqdeIGlRRo6ABHJz03PPPBYIMdLoD6iNhlg?e=qNhi6o, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56084.md.

Details

CWE(s): CWE-78

Affected Products

ruijie

rg-yst250f firmware

3.0\(1\)b11p280yst250f

ruijie

rg-est310 v2 firmware

b11p221

ruijie

reyee os

219, 221

ruijie

rg-eap602 firmware

3.0\(1\)b2p55

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

CVE enables arbitrary OS command execution via crafted POST request (Unix Shell, T1059.004) on a remote network device service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi
Broken Link · cve@mitre.org
https://1drv.ms/t/c/12406a392c92914b/EdfdfnvOxAhJqdeIGlRRo6ABHJz03PPPBYIMdLoD6iNhlg?e=qNhi6o
Broken Link · cve@mitre.org
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56084.md
Third Party Advisory · cve@mitre.org