CVE-2025-56085
Published: 11 December 2025
Summary
CVE-2025-56085 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1200 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of crafted POST request inputs to the module_set function to prevent OS command injection.
Mandates timely remediation of known flaws like CVE-2025-56085 through firmware patching to eliminate the command injection vulnerability.
Enforces least privilege on the vulnerable Lua process to limit the scope and impact of arbitrary command execution even if injection occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OS command injection vulnerability in the web interface allows remote exploitation of a public-facing application (T1190) to achieve arbitrary command execution on the network device, facilitating network device CLI abuse (T1059.008).
NVD Description
OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
Deeper analysisAI
CVE-2025-56085 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-EW1200 device running firmware EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00. The flaw resides in the module_set function within the file /usr/local/lua/dev_config/config_retain.lua, where a crafted POST request can inject and execute arbitrary operating system commands. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (high severity), reflecting network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
Attackers with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. By sending a specially crafted POST request to the vulnerable module_set endpoint, they can execute arbitrary OS commands on the device, potentially achieving full remote code execution, data exfiltration, system modification, or denial of service.
Mitigation details, including patches and advisories, are available in the following references: https://1drv.ms/f/c/12406a392c92914b/EuESCSUsYvtAtfW1SfmGGxsBw-kN9iCbpnUU9T8TXofH3w?e=kp5OXK, https://1drv.ms/t/c/12406a392c92914b/ERuoK3MLW2RLpQ6qOoGs5wIB73tNnsDzRT8U6U6z4VmskQ?e=KIjaOa, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56085.md. Security practitioners should consult these for vendor-recommended updates and workarounds.
Details
- CWE(s)