Cyber Posture

CVE-2025-56129

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
15 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0138 80.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_diagnosis in file /usr/lib/lua/luci/controller/admin/diagnosis.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by enforcing validation and sanitization of crafted POST requests to the action_diagnosis function.

SI-2 Flaw Remediation good match
prevent

Remediates the specific flaw in /usr/lib/lua/luci/controller/admin/diagnosis.lua through timely patching or code correction.

CM-7 Least Functionality good match
prevent

Eliminates the vulnerable diagnosis functionality if non-essential, preventing exploitation of the command injection endpoint.

Security SummaryAI

CVE-2025-56129, published on 2025-12-11, is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-BCR series, specifically the RG-BCR860 model. The issue affects the file /usr/lib/lua/luci/controller/admin/diagnosis.lua, where the action_diagnosis function fails to properly sanitize crafted POST requests, enabling attackers to inject and execute arbitrary operating system commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers require low privileges, such as those of an authenticated user (PR:L), to exploit the vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By sending a specially crafted POST request to the vulnerable endpoint, they can achieve remote code execution, compromising confidentiality, integrity, and availability at a high level (C:H/I:H/A:H).

Advisories and detailed reports on mitigation, including potential patches, are available in the CVE references: https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10, https://1drv.ms/t/c/12406a392c92914b/EaJ2e_mzgltOiHqb4t8xIvgBoT2CYEP0nrhZd7IYlCHSPQ?e=miUrrL, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56129.md.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-bcr860 firmware
2.5.13

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

OS command injection via crafted POST request to web interface enables exploitation of public-facing application (T1190) for initial access and arbitrary command execution on network device CLI (T1059.008).

References