Cyber Posture

CVE-2025-56113

High

Published: 11 December 2025

Published
11 December 2025
Modified
11 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 58.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-YST EST, YSTAP_3.0(1)B11P280YST250F V1.xxV2.xx allowing attackers to execute arbitrary commands via a crafted POST request to the pwdmodify in file /usr/lib/lua/luci/modules/common.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by validating crafted POST requests to the pwdmodify function in common.lua.

SI-2 Flaw Remediation good match
prevent

Remediates the specific flaw in /usr/lib/lua/luci/modules/common.lua through timely patching as per vendor advisories.

SI-9 Information Input Restrictions partial match
prevent

Restricts information inputs to pwdmodify, limiting the ability to inject arbitrary OS commands via POST requests.

Security SummaryAI

CVE-2025-56113 is an OS Command Injection vulnerability (CWE-78) affecting Ruijie RG-YST EST software, specifically the YSTAP_3.0(1)B11P280YST250F V1.xxV2.xx version. The flaw resides in the pwdmodify function within the file /usr/lib/lua/luci/modules/common.lua, where attackers can inject and execute arbitrary operating system commands through a specially crafted POST request. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

Exploitation requires low privileges (PR:L), making it accessible to authenticated users such as low-level administrators or service accounts. Attackers can remotely trigger the vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), leading to arbitrary command execution on the underlying operating system. Successful exploitation grants high-level control over the affected device, potentially enabling full system compromise, data exfiltration, persistence, or lateral movement within the network.

Mitigation guidance and patch details are outlined in security advisories and reports available via the CVE references, including a dedicated GitHub vulnerability report at https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56113.md and supporting documents on OneDrive. Practitioners should consult these sources for vendor-recommended updates, configuration hardening, or workarounds to address the issue.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-yst250f firmware
3.0\(1\)b11p280yst250f
ruijie
rg-est310 v2 firmware
b11p221
ruijie
reyee os
219, 221
ruijie
rg-eap602 firmware
3.0\(1\)b2p55

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

OS command injection via web POST enables Unix Shell execution (T1059.004), exploitation of remote web service (T1210), and privilege escalation from low privileges to full system control (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References