Cyber Posture

CVE-2025-56091

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the OS command injection vulnerability by requiring timely identification, reporting, and patching of the flaw in the /usr/local/lua/dev_config/config_retain.lua file.

SI-10 Information Input Validation good match
prevent

Prevents command injection exploitation by enforcing validation of POST request inputs to the module_set function, blocking arbitrary OS command payloads.

SC-7 Boundary Protection partial match
prevent

Reduces remote network access (AV:N) to the vulnerable management endpoint on the Ruijie RG-EW1800GX device, limiting exploitation opportunities.

Security SummaryAI

CVE-2025-56091 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-EW1800GX device running firmware version B11P226_EW1800GX_10223121. The flaw resides in the file /usr/local/lua/dev_config/config_retain.lua, where the module_set function processes POST requests insecurely, enabling attackers to inject and execute arbitrary operating system commands. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Attackers with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By crafting a malicious POST request to the module_set endpoint, they can execute arbitrary commands on the underlying OS, potentially leading to full remote code execution, data exfiltration, system compromise, or further lateral movement within the network.

Advisories and detailed reports on this vulnerability, including potential mitigation guidance, are available in the referenced sources: https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6, https://1drv.ms/t/c/12406a392c92914b/EdiWfxSbC0pAu_oksKjm2xgBXSCavYBBJt8V51JkcH4Dsw?e=OhOVCN, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56091.md.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-ew1800gx firmware
3.0\(1\)b11p226
ruijie
rg-ew300r firmware
3.0\(1\)b11p301

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows remote OS command injection via a web interface (POST request) on a network device, directly enabling exploitation of public-facing applications (T1190), network device CLI abuse (T1059.008), and exploitation of remote services for code execution (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References