Cyber Posture

CVE-2025-56085

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
26 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0064 70.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of crafted POST request inputs to the module_set function to prevent OS command injection.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of known flaws like CVE-2025-56085 through firmware patching to eliminate the command injection vulnerability.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on the vulnerable Lua process to limit the scope and impact of arbitrary command execution even if injection occurs.

Security SummaryAI

CVE-2025-56085 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-EW1200 device running firmware EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00. The flaw resides in the module_set function within the file /usr/local/lua/dev_config/config_retain.lua, where a crafted POST request can inject and execute arbitrary operating system commands. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (high severity), reflecting network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

Attackers with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. By sending a specially crafted POST request to the vulnerable module_set endpoint, they can execute arbitrary OS commands on the device, potentially achieving full remote code execution, data exfiltration, system modification, or denial of service.

Mitigation details, including patches and advisories, are available in the following references: https://1drv.ms/f/c/12406a392c92914b/EuESCSUsYvtAtfW1SfmGGxsBw-kN9iCbpnUU9T8TXofH3w?e=kp5OXK, https://1drv.ms/t/c/12406a392c92914b/ERuoK3MLW2RLpQ6qOoGs5wIB73tNnsDzRT8U6U6z4VmskQ?e=KIjaOa, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56085.md. Security practitioners should consult these for vendor-recommended updates and workarounds.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-ew1200 firmware
3.0\(1\)b11p227
ruijie
rg-ew300 pro firmware
3.0\(1\)b11p219

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

The OS command injection vulnerability in the web interface allows remote exploitation of a public-facing application (T1190) to achieve arbitrary command execution on the network device, facilitating network device CLI abuse (T1059.008).

References