Cyber Posture

CVE-2025-56097

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0105 77.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by requiring validation of crafted POST requests to the module_set function in config_retain.lua.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation and patching of the specific flaw in the Ruijie firmware's Lua script to eliminate the vulnerability.

SI-9 Information Input Restrictions good match
prevent

Enforces restrictions on information inputs to the vulnerable endpoint, blocking malicious payloads in POST requests that enable command injection.

Security SummaryAI

CVE-2025-56097 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-EW1800GX PRO device running firmware version B11P226_EW1800GX-PRO_10223117. The flaw resides in the module_set function within the file /usr/local/lua/dev_config/config_retain.lua, where attackers can inject and execute arbitrary operating system commands through a specially crafted POST request. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by low-privileged users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows attackers to execute arbitrary commands on the underlying operating system, potentially leading to full device compromise, including data theft, modification of configurations, or disruption of network services.

Mitigation details and additional technical reports are available in the referenced advisories, including the GitHub report at https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56097.md and OneDrive documents at https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi and https://1drv.ms/t/c/12406a392c92914b/EeVJ2woYmHVHn_C0Sy_iRZsB4yZQFJDXSBOwMSZW0KXJrQ?e=VVGxWb. Security practitioners should consult these for vendor-recommended patches or workarounds.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-ew1800gx pro firmware
3.0\(1\)b11p226
ruijie
rg-ew300n firmware
3.0\(1\)b11p300

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

The vulnerability is an OS command injection in a network device's web management interface (/usr/local/lua/...), exploitable remotely by low-privileged users via POST request, directly enabling exploitation of remote services (T1210) to achieve arbitrary command execution on the network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References