Cyber Posture

CVE-2025-56122

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
23 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0105 77.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of untrusted inputs like crafted POST requests to prevent OS command injection in the Lua script.

SI-2 Flaw Remediation good match
prevent

Ensures timely remediation of known flaws such as this command injection vulnerability through patching the affected firmware version.

AC-6 Least Privilege partial match
prevent

Limits potential damage from command injection by enforcing least privilege on low-privilege accounts accessing the vulnerable endpoint.

Security SummaryAI

CVE-2025-56122, published on 2025-12-11, is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1800GX PRO device running firmware version B11P226_EW1800GX-PRO_10223117. The issue affects the module_get function in the file /usr/local/lua/dev_sta/networkConnect.lua, enabling attackers to execute arbitrary operating system commands through a crafted POST request.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and exploitation requiring only low privileges without user interaction or scope changes. Attackers with such privileges can remotely inject and execute commands, resulting in high impacts to confidentiality, integrity, and availability, potentially allowing full device compromise.

Advisories and detailed reports on this vulnerability, including potential mitigations and patches, are available in the referenced sources: https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi, https://1drv.ms/t/c/12406a392c92914b/EZOBtzLwlmBKschv6sxT_LcBBKnMP_OXO7d24321UD8x8g?e=Dpui5j, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56122.md.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-ew1800gx firmware
3.0\(1\)b11p226
ruijie
rg-ew300n firmware
3.0\(1\)b11p300
ruijie
rg-ew1800gx pro firmware
1.022.3117

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

OS command injection via crafted POST to web interface (/usr/local/lua/dev_sta/networkConnect.lua) on network device enables exploitation of public-facing application for arbitrary command execution on the device CLI.

References