CVE-2025-56079
Published: 11 December 2025
Summary
CVE-2025-56079 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1300G. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by validating and sanitizing crafted POST request inputs to the vulnerable module_get function in networkConnect.lua.
Addresses the specific flaw in the Lua script by identifying, reporting, and remediating vulnerabilities like CVE-2025-56079 through timely patching.
Limits the impact of arbitrary command execution by authenticated low-privilege users through enforcement of least privilege on system resources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection vulnerability in router web interface enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).
NVD Description
OS Command Injection vulnerability in Ruijie RG-EW1300G EW1300G V1.00/V2.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
Deeper analysisAI
CVE-2025-56079 is an OS command injection vulnerability (CWE-78) affecting Ruijie RG-EW1300G routers in versions V1.00, V2.00, and V4.00. The flaw resides in the module_get function within the file /usr/local/lua/dev_sta/networkConnect.lua, where attackers can inject and execute arbitrary operating system commands through a specially crafted POST request. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending a malicious POST request to the affected endpoint, they gain the ability to execute arbitrary commands on the underlying operating system, potentially leading to full remote code execution. This results in high impacts on confidentiality, integrity, and availability, allowing compromise of the device.
Mitigation details and additional technical information are provided in the following advisories: https://1drv.ms/f/c/12406a392c92914b/EjGDN1e4xfZOhROI3hzjKr0Bb9TVCN03MAR_VK56P8V3Ug?e=NmUXvt, https://1drv.ms/t/c/12406a392c92914b/EZdYNxRd8ilMrCRXLnltUKEBiBXJzrTc9i7Y643cuho9PA?e=7Bifxw, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56079.md. Security practitioners should consult these resources for patch availability, workarounds, or configuration changes specific to the affected Ruijie devices.
Details
- CWE(s)