CVE-2025-56086

HighPublic PoC

Published: 11 December 2025

Published

11 December 2025

Modified

26 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 51.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating and sanitizing inputs from crafted POST requests in the vulnerable Lua module_get function.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in the firmware by requiring timely identification, reporting, and patching of the command injection vulnerability.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on POST request inputs to block malicious payloads that could be injected into OS commands via the networkConnect.lua handler.

Security SummaryAI

CVE-2025-56086 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-EW1200 device running firmware version EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00. The flaw resides in the module_get function within the file /usr/local/lua/dev_sta/networkConnect.lua, where attackers can exploit it by sending a crafted POST request to inject and execute arbitrary operating system commands.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity and requires only low privileges. An authenticated attacker with low-level access can leverage the crafted POST request to execute arbitrary commands on the underlying OS, potentially resulting in high impacts to confidentiality, integrity, and availability, such as full system compromise.

Mitigation details and advisories are documented in the following references: https://1drv.ms/f/c/12406a392c92914b/EuESCSUsYvtAtfW1SfmGGxsBw-kN9iCbpnUU9T8TXofH3w?e=kp5OXK, https://1drv.ms/t/c/12406a392c92914b/ETgTxS2wFBlCjG4DP56-PjkBWwvraLHZ-BVaWh9Vs9_SuA?e=aTbjEe, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56086.md. The CVE was published on 2025-12-11T18:16:20.777.

Details

CWE(s): CWE-78

Affected Products

ruijie

rg-ew1200 firmware

3.0\(1\)b11p227

ruijie

rg-x60 firmware

3.0\(1\)b11p237

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The OS command injection vulnerability in the public-facing web interface (/usr/local/lua/dev_sta/networkConnect.lua) enables remote exploitation for initial access (T1190) and arbitrary Unix shell command execution (T1059.004).

References

https://1drv.ms/f/c/12406a392c92914b/EuESCSUsYvtAtfW1SfmGGxsBw-kN9iCbpnUU9T8TXofH3w?e=kp5OXK
Broken Link, Exploit · cve@mitre.org
https://1drv.ms/t/c/12406a392c92914b/ETgTxS2wFBlCjG4DP56-PjkBWwvraLHZ-BVaWh9Vs9_SuA?e=aTbjEe
Broken Link, Exploit · cve@mitre.org
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56086.md
Third Party Advisory · cve@mitre.org