CVE-2025-56093

HighPublic PoC

Published: 11 December 2025

Published

11 December 2025

Modified

27 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0065 70.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the setWisp in file /usr/lib/lua/luci/modules/wireless.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires information input validation at entry points like the setWisp POST endpoint, directly preventing OS command injection from crafted requests.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of flaws such as the command injection in wireless.lua, enabling patching of this specific CVE.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict low-privilege (PR:L) users from accessing the vulnerable setWisp function in the web interface.

Security SummaryAI

CVE-2025-56093 is an OS command injection vulnerability (CWE-78) affecting the Ruijie X30-PRO device, specifically version X30-PRO-V1_09241521. The flaw resides in the setWisp function within the file /usr/lib/lua/luci/modules/wireless.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Exploitation requires low privileges, such as those held by an authenticated user with network access to the device. An attacker can remotely trigger the vulnerability with low complexity and no user interaction, achieving arbitrary command execution on the underlying operating system. This grants high-level control over the device, potentially enabling full compromise, data exfiltration, persistence, or further lateral movement within a network.

Advisories and detailed reports, including vulnerability analyses for this and related Ruijie device flaws, are available in the referenced GitHub repositories from flegoity and associated OneDrive documents. Practitioners should consult these sources for vendor-specific guidance on patches, workarounds, or configuration changes to mitigate exposure.

Details

CWE(s): CWE-78

Affected Products

ruijie

x30 pro firmware

all versions

ruijie

rg-ew300 pro firmware

3.0\(1\)b11p219

ruijie

rg-eap602 firmware

3.0\(1\)b2p55

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Vulnerability enables exploitation of public-facing web application via crafted POST request (T1190), resulting in arbitrary OS command injection on Linux-based device (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY
Product, Broken Link · cve@mitre.org
https://1drv.ms/t/c/12406a392c92914b/Edoz9sBTjeJMqw8K0f3lWgMBNxBlpE9IIUwOX2h2S1cMhw?e=46VlOq
Third Party Advisory, Broken Link · cve@mitre.org
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56092.md
Not Applicable · cve@mitre.org
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56093.md
Exploit, Third Party Advisory · cve@mitre.org