CVE-2025-56077
Published: 11 December 2025
Summary
CVE-2025-56077 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijienetworks Reyee Os. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates OS command injection by requiring validation of crafted POST request inputs to the vulnerable module_set function in nbr_cwmp.lua.
Ensures timely patching or remediation of the specific command injection flaw in the affected Lua script to prevent exploitation.
Limits damage from successful command injection by enforcing least privilege for low-privilege (PR:L) users accessing the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web application (T1190) for OS command injection (T1059.004 Unix Shell) with low privileges, facilitating privilege escalation (T1068).
NVD Description
OS Command Injection vulnerability in Ruijie RG-RAP2200(E) 247 2200 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
Deeper analysisAI
CVE-2025-56077 is an OS command injection vulnerability (CWE-78) affecting Ruijie RG-RAP2200(E) 247 2200 access points. The flaw resides in the module_set function within the file /usr/local/lua/dev_sta/nbr_cwmp.lua, where attackers can inject and execute arbitrary operating system commands through a specially crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for complete compromise of confidentiality, integrity, and availability.
An attacker with low privileges, such as an authenticated user, can exploit this vulnerability remotely over the network without user interaction. By sending a malicious POST request to the vulnerable endpoint, they gain the ability to execute arbitrary OS commands on the affected device, potentially leading to full system takeover, data exfiltration, persistent access, or further lateral movement within the network.
Advisories and detailed reports, including vulnerability analysis and potential mitigation guidance, are available in the referenced sources: https://1drv.ms/f/c/12406a392c92914b/EvnzTspA23NAl-T9w70dG4MBnWWojsrzAeM1i-ed2EauAA?e=AYOxPM, https://1drv.ms/t/c/12406a392c92914b/EURTWAoIJNRMtvzNPi08CToB780nsKPNHZ2Fdmcf9xsoRA?e=jHygdj, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56077.md. Security practitioners should consult these for patch information, workarounds, or configuration changes to address the issue.
Details
- CWE(s)