CVE-2025-56106

HighPublic PoC

Published: 11 December 2025

Published

11 December 2025

Modified

26 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0028 51.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating and sanitizing untrusted inputs in crafted POST requests to the module_set function in nbr_cwmp.lua.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in the /usr/local/lua/dev_sta/nbr_cwmp.lua file through timely patching or firmware updates for the Ruijie RG-EW1800GX device.

AC-6 Least Privilege partial match

prevent

Limits damage from injected OS commands by enforcing least privilege on the process handling low-privileged remote access, reducing potential for full device compromise.

Security SummaryAI

CVE-2025-56106 is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1800GX device running firmware version B11P226_EW1800GX_10223121. The flaw exists in the module_set function within the file /usr/local/lua/dev_sta/nbr_cwmp.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-11T19:15:56.207.

Low-privileged remote attackers (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious POST request to the affected module_set endpoint, they can inject and execute arbitrary OS commands, achieving high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise.

Advisories and reports providing further details on mitigation, patches, or workarounds are available in the following references: https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6, https://1drv.ms/t/c/12406a392c92914b/EcUP8SMciOVBgNEy31-OnnkBQRk_fUCDWUtdDX8UBfbXEA?e=FuQDPi, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56106.md.

Details

CWE(s): CWE-78

Affected Products

ruijie

rg-ew1800gx firmware

3.0\(1\)b11p226

ruijie

rg-est350 firmware

3.0\(1\)b11p221

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection via crafted POST request to web endpoint directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6
Broken Link, Exploit · cve@mitre.org
https://1drv.ms/t/c/12406a392c92914b/EcUP8SMciOVBgNEy31-OnnkBQRk_fUCDWUtdDX8UBfbXEA?e=FuQDPi
Broken Link, Exploit · cve@mitre.org
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56106.md
Exploit, Third Party Advisory · cve@mitre.org