Cyber Posture

CVE-2025-56095

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the OS command injection flaw in the module_set function of /usr/local/lua/dev_sta/nbr_cwmp.lua by identifying, reporting, and correcting the vulnerability in affected firmware versions.

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs such as POST request parameters to prevent crafted payloads from injecting and executing arbitrary OS commands.

SI-9 Information Input Restrictions good match
prevent

Restricts inputs to the vulnerable endpoint to organization-defined safe types, blocking malicious POST requests that enable command injection.

Security SummaryAI

CVE-2025-56095 is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1200G PRO device across firmware versions V1.00, V2.00, V3.00, and V4.00. The issue affects the module_set function in the file /usr/local/lua/dev_sta/nbr_cwmp.lua, where attackers can execute arbitrary commands through a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.

Remote attackers with low privileges can exploit this vulnerability by sending a specially crafted POST request to the vulnerable endpoint. No user interaction is required, enabling straightforward exploitation over the network. Successful attacks allow arbitrary OS command execution on the device, potentially leading to full remote code execution, data compromise, system modification, or denial of service.

Mitigation details and additional technical analysis are available in the following advisories and reports: https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62, https://1drv.ms/t/c/12406a392c92914b/EQgGsVREbAJEv4dCG7LAzoYBUiS4nCjWKun_QhenDHzU0Q?e=Ly0lll, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56095.md.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-ew1200g pro firmware
all versions
ruijie
rg-eap602 firmware
3.0\(1\)b2p55

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

OS command injection via crafted POST request to web management interface enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References