Cyber Posture

CVE-2025-56101

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by validating and sanitizing crafted POST request inputs to the module_get function in /usr/local/lua/dev_sta/networkConnect.lua.

SI-2 Flaw Remediation good match
prevent

Requires timely patching of the command injection flaw in firmware EW_3.0(1)B11P226_M18_10223116 to eliminate arbitrary command execution capability.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on the process handling the vulnerable endpoint, limiting the impact and scope of any successfully injected OS commands.

Security SummaryAI

CVE-2025-56101, published on 2025-12-11, is an OS Command Injection vulnerability (CWE-78) in the Ruijie M18 device running firmware version EW_3.0(1)B11P226_M18_10223116. The issue affects the module_get function in the file /usr/local/lua/dev_sta/networkConnect.lua, where attackers can execute arbitrary commands through a crafted POST request. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant impacts across confidentiality, integrity, and availability.

Attackers with low privileges (PR:L), such as authenticated users, can exploit this over the network without requiring user interaction. By sending a specially crafted POST request to the vulnerable endpoint, they gain the ability to execute arbitrary operating system commands on the device, potentially leading to full compromise including data theft, modification, or disruption of services.

Advisories and detailed reports on mitigation, patches, or workarounds are referenced in the following sources: https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM, https://1drv.ms/t/c/12406a392c92914b/EbNlU_0K0v1Krzq7CaUWn0AB_yu3ICrdmwoVuS2txFGMhA?e=0gIUMh, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56101.md.

Details

CWE(s)
CWE-78

Affected Products

ruijie
m18-ew firmware
3.0\(1\)b11p226
ruijie
rg-ew1200r firmware
ew_3.0\(1\)b11p301

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The OS command injection vulnerability enables arbitrary command execution on a network device via remote exploitation (T1210) and abuse of network device CLI capabilities (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References