Cyber Posture

CVE-2025-56118

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0105 77.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the OS command injection flaw in the module_set function of /usr/local/lua/dev_sta/nbr_cwmp.lua by identifying, patching, and verifying fixes.

SI-10 Information Input Validation good match
prevent

Prevents exploitation by enforcing input validation mechanisms on crafted POST requests to the vulnerable module_set endpoint.

AC-6 Least Privilege partial match
prevent

Limits damage from successful command injection by enforcing least privilege on low-privilege (PR:L) accounts accessing the affected Lua function.

Security SummaryAI

CVE-2025-56118 is an OS command injection vulnerability (CWE-78) affecting Ruijie X60 PRO devices, specifically model X60_10212014RG-X60 PRO in versions V1.00 and V2.00. The flaw resides in the module_set function within the file /usr/local/lua/dev_sta/nbr_cwmp.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. The vulnerability received a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-11T19:15:57.270.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and without user interaction (UI:N). Successful exploitation allows arbitrary command execution on the underlying OS, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U). This enables remote code execution, potentially leading to full device compromise.

Advisories and detailed reports on this vulnerability, including potential mitigation guidance, are available in the following references: https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh, https://1drv.ms/t/c/12406a392c92914b/EV2jr71QaoFBjf3SLQcUA6sBcmzSsyx2jJ_XY7yOBk_Sjg?e=WOY7Wd, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56118.md.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-ew3200gx firmware
3.0\(1\)b11p219
ruijie
rg-x60 pro firmware
1.021.2014

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

OS Command Injection via crafted POST request enables remote exploitation of a public-facing application (T1190) and arbitrary command execution on the network device CLI (T1059.008).

References