Cyber Posture

CVE-2025-56130

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
31 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0104 77.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OS Command Injection vulnerability in Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 allowing attackers to execute arbitrary commands via a crafted POST request to the module_update in file /usr/local/lua/dev_config/ace_sw.lua.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2025-56130 by requiring timely patching or upgrading of the vulnerable S1930SWITCH_3.0(1)B11P230 firmware to eliminate the OS command injection flaw.

SI-10 Information Input Validation good match
prevent

Prevents exploitation of CVE-2025-56130 by validating and sanitizing POST request inputs to the module_update function in /usr/local/lua/dev_config/ace_sw.lua, blocking arbitrary OS command injection.

CM-5 Access Restrictions for Change partial match
prevent

Limits the attack surface for CVE-2025-56130 by restricting access to the vulnerable module_update endpoint to only authorized personnel or roles beyond basic low-privilege users.

Security SummaryAI

CVE-2025-56130 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-S1930 switch running version S1930SWITCH_3.0(1)B11P230. The flaw resides in the module_update function within the file /usr/local/lua/dev_config/ace_sw.lua, where attackers can inject and execute arbitrary operating system commands through a specially crafted POST request. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for significant impact on confidentiality, integrity, and availability.

Exploitation requires low privileges (PR:L), such as those held by an authenticated user with access to the affected interface. An attacker can remotely send a malicious POST request to the vulnerable endpoint over the network without user interaction, achieving arbitrary command execution on the underlying OS. This grants high-level compromise, enabling data exfiltration, modification of system files, service disruption, or full device takeover.

Mitigation guidance and additional details are available in vendor and researcher advisories, including the report at https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56130.md and supporting documents at https://1drv.ms/f/c/12406a392c92914b/EpWU9cQdd5RNszcYlTj2cGsBfiClkCwF0zCsLNYer2VIZA?e=ANIgPM. The CVE was published on 2025-12-11.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-nbs5100-24gt4sfp firmware
3.0\(1\)b11p248
ruijie
rg-s1930 firmware
3.0\(1\)b11p230

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

OS command injection via crafted POST request enables arbitrary command execution on the network device (T1059.008: Network Device CLI) and exploitation of the remote web service (T1210: Exploitation of Remote Services).

References