Cyber Posture

CVE-2025-56123

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0105 77.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the OS command injection flaw in the module_get function of networkConnect.lua by applying vendor patches or updates.

SI-10 Information Input Validation good match
prevent

Prevents arbitrary command execution by validating and sanitizing crafted POST request inputs to the vulnerable Lua script.

SI-9 Information Input Restrictions partial match
prevent

Restricts input at the web interface to safe formats and lengths, blocking injection payloads targeting the networkConnect.lua module.

Security SummaryAI

CVE-2025-56123, published on 2025-12-11, is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1200G PRO router across firmware versions V1.00, V2.00, V3.00, and V4.00. The issue affects the module_get function in the file /usr/local/lua/dev_sta/networkConnect.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request.

With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable over the network with low attack complexity and no user interaction. It requires low privileges (PR:L), such as those held by an authenticated user, allowing remote attackers to achieve high impacts on confidentiality, integrity, and availability through arbitrary command execution.

Advisories and reports on mitigation are available in the provided references, including https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62, https://1drv.ms/t/c/12406a392c92914b/ERjNMNZRBD5HoYydt7Kb3kwBT4ycJXROxTsVBB-WXXqH6Q?e=q8Lcd2, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56123.md.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-ew1200g pro firmware
all versions
ruijie
rg-ew1300g firmware
ew_3.0\(1\)b11p303

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

The vulnerability is an OS command injection in a public-facing web interface on a network device (router), enabling exploitation of a public-facing application (T1190) and arbitrary command execution via network device CLI-like capabilities (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References