CVE-2025-56086
Published: 11 December 2025
Summary
CVE-2025-56086 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1200 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by validating and sanitizing inputs from crafted POST requests in the vulnerable Lua module_get function.
Addresses the specific flaw in the firmware by requiring timely identification, reporting, and patching of the command injection vulnerability.
Enforces restrictions on POST request inputs to block malicious payloads that could be injected into OS commands via the networkConnect.lua handler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OS command injection vulnerability in the public-facing web interface (/usr/local/lua/dev_sta/networkConnect.lua) enables remote exploitation for initial access (T1190) and arbitrary Unix shell command execution (T1059.004).
NVD Description
OS Command Injection vulnerability in Ruijie RG-EW1200 EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
Deeper analysisAI
CVE-2025-56086 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-EW1200 device running firmware version EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00. The flaw resides in the module_get function within the file /usr/local/lua/dev_sta/networkConnect.lua, where attackers can exploit it by sending a crafted POST request to inject and execute arbitrary operating system commands.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity and requires only low privileges. An authenticated attacker with low-level access can leverage the crafted POST request to execute arbitrary commands on the underlying OS, potentially resulting in high impacts to confidentiality, integrity, and availability, such as full system compromise.
Mitigation details and advisories are documented in the following references: https://1drv.ms/f/c/12406a392c92914b/EuESCSUsYvtAtfW1SfmGGxsBw-kN9iCbpnUU9T8TXofH3w?e=kp5OXK, https://1drv.ms/t/c/12406a392c92914b/ETgTxS2wFBlCjG4DP56-PjkBWwvraLHZ-BVaWh9Vs9_SuA?e=aTbjEe, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56086.md. The CVE was published on 2025-12-11T18:16:20.777.
Details
- CWE(s)