Cyber Posture

CVE-2025-56089

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0105 77.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly prevents OS command injection by validating crafted POST request inputs to the module_set function in nbr_cwmp.lua against expected formats and content.

SI-2 Flaw Remediation good match
prevent

SI-2 remediates the specific flaw in the Ruijie M18 firmware by identifying, reporting, and correcting the command injection vulnerability via patching.

SI-9 Information Input Restrictions good match
prevent

SI-9 restricts malicious inputs in POST requests to the vulnerable endpoint, blocking arbitrary OS command payloads before execution.

Security SummaryAI

CVE-2025-56089 is an OS Command Injection vulnerability (CWE-78) in the Ruijie M18 device running firmware version EW_3.0(1)B11P226_M18_10223116. The issue affects the module_set function in the file /usr/local/lua/dev_sta/nbr_cwmp.lua, enabling attackers to execute arbitrary operating system commands by sending a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting a malicious POST request to the vulnerable endpoint, they can inject and execute arbitrary OS commands, potentially achieving full control over the device, including data exfiltration, modification, or disruption of services.

Mitigation details and advisories are documented in the following references: https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM, https://1drv.ms/t/c/12406a392c92914b/Ea56irtVj4dNs59Pzz7fkiIBQeVLjDcMDEXC2FpCQydIZQ?e=70gcOe, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56089.md. Security practitioners should review these for patch availability or workarounds specific to Ruijie M18 deployments.

Details

CWE(s)
CWE-78

Affected Products

ruijie
m18-ew firmware
3.0\(1\)b11p226
ruijie
rg-ew300g pro firmware
ew_3.0\(1\)b11p219

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The OS command injection vulnerability directly enables arbitrary Unix shell command execution (T1059.004) via crafted POST requests and represents exploitation of a remote service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References