Cyber Posture

CVE-2025-56120

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0105 77.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of all system inputs, directly preventing OS command injection by ensuring crafted POST request parameters to module_set are sanitized before processing in the vulnerable Lua script.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating this CVE through firmware patching or code fixes in config_retain.lua.

AC-6 Least Privilege partial match
prevent

AC-6 enforces least privilege on accounts, limiting the damage from arbitrary command execution by low-privileged (PR:L) attackers exploiting the vulnerability.

Security SummaryAI

CVE-2025-56120 is an OS Command Injection vulnerability (CWE-78) in the Ruijie X60 PRO device, specifically firmware versions V1.00 and V2.00 for model X60_10212014RG-X60 PRO. The flaw exists in the module_set function within the file /usr/local/lua/dev_config/config_retain.lua, where attackers can execute arbitrary commands via a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

Attackers with low privileges (PR:L), such as authenticated users, can exploit this vulnerability over the network without user interaction. By crafting a malicious POST request to the module_set endpoint, they achieve remote execution of arbitrary OS commands, enabling full control over the affected device.

Mitigation details are covered in vendor advisories and reports available at the following references: https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh, https://1drv.ms/t/c/12406a392c92914b/EZf6v9BXDpFAs09oCidKJ8oBXclUWtjyMcQv3DgMfISkJg?e=MyjOdI, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56120.md.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-x60 pro firmware
1.021.2014
ruijie
rg-ew1200 firmware
3.0\(1\)b11p301

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

OS command injection via crafted POST request to web interface enables exploitation of public-facing application (T1190) and remote command execution on network device CLI/interpreter (T1059.008).

References