Cyber Posture

CVE-2025-56090

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by requiring validation of crafted POST request inputs to the module_set function in config_retain.lua, preventing arbitrary command execution.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the specific flaw in affected firmware versions V1.00 through V4.00 to eliminate the command injection vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match
detectrespond

Enables scanning for and remediation of CVE-2025-56090 in vulnerable Ruijie router firmware, addressing exploitation risks across multiple versions.

Security SummaryAI

CVE-2025-56090 is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1200G PRO router across firmware versions V1.00, V2.00, V3.00, and V4.00. The issue affects the module_set function in the file /usr/local/lua/dev_config/config_retain.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability can be exploited remotely over the network by attackers with low privileges, such as authenticated users, requiring low attack complexity and no user interaction. Successful exploitation allows arbitrary command execution on the underlying operating system, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to full device compromise, data theft, or further network pivoting.

Mitigation details and additional technical reports are documented in the following references: https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62, https://1drv.ms/t/c/12406a392c92914b/EfSHWqE3N11FpgQsV1BlZk0BxXIhFQjIp_xmJYIq1APvrw?e=JCIm6k, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56090.md. Security practitioners should consult these for patch availability, workarounds, or proof-of-concept details.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-ew1200g pro firmware
all versions
ruijie
rg-ew1200r firmware
ew_3.0\(1\)b11p301

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

OS command injection vulnerability enables exploitation of remote services (T1210) for arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References