Cyber Posture

CVE-2025-56088

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
26 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 55.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_service in file /usr/lib/lua/luci/controller/admin/service.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by requiring validation of untrusted inputs from crafted POST requests to the vulnerable endpoint.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of the specific flaw in the LuCI controller, preventing exploitation through patching.

AC-6 Least Privilege partial match
prevent

Limits the scope and impact of arbitrary command execution by enforcing least privilege on the vulnerable service process.

Security SummaryAI

CVE-2025-56088 is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-BCR RG-BCR860 device. The flaw exists in the action_service endpoint within the file /usr/lib/lua/luci/controller/admin/service.lua, where a crafted POST request enables attackers to execute arbitrary operating system commands. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact.

The vulnerability can be exploited by attackers who possess low privileges, such as authenticated users with minimal administrative access, over the network without requiring user interaction. By sending a specially crafted POST request to the vulnerable endpoint, they can inject and execute arbitrary OS commands on the device, achieving high levels of confidentiality, integrity, and availability impact, which could result in full system compromise, data theft, or persistent access.

Detailed advisories, vulnerability reports, and potential mitigation steps, including patches, are documented in the following references: https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10, https://1drv.ms/t/c/12406a392c92914b/EQ5pK82-KmxKht6YgsEzaOsBzrC05Cael1vwpfM9ZxX97Q?e=qEgmtB, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56088.md.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-bcr860 firmware
all versions

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

OS command injection via web endpoint enables remote service exploitation (T1210) and arbitrary command execution on network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References