CVE-2025-56087
Published: 11 December 2025
Summary
CVE-2025-56087 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Bcr600W Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation of untrusted inputs in the crafted POST request to run_tcpdump.
Addresses the vulnerability through timely remediation and patching of the flaw in /usr/lib/lua/luci/controller/admin/common_tcpdump.lua.
Mitigates exposure by restricting the device to least functionality, such as disabling the unnecessary tcpdump feature.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via crafted POST request to web interface enables exploitation of public-facing application (T1190) and execution of arbitrary OS commands on network device CLI (T1059.008).
NVD Description
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the run_tcpdump in file /usr/lib/lua/luci/controller/admin/common_tcpdump.lua.
Deeper analysisAI
CVE-2025-56087 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-BCR RG-BCR600W device. The flaw resides in the run_tcpdump function within the file /usr/lib/lua/luci/controller/admin/common_tcpdump.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by low-privileged remote attackers with network access to the device. An attacker with basic authenticated access (PR:L) can craft and submit a malicious POST request to the affected endpoint, leading to arbitrary command execution on the underlying operating system. Successful exploitation grants high-level control over the device, potentially allowing full compromise including data exfiltration, modification of configurations, or disruption of services.
Advisories and detailed reports are available in the provided references, including vulnerability analyses hosted on OneDrive and a GitHub repository at https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56087.md, which may outline mitigation strategies such as applying vendor patches, restricting administrative access, or disabling the tcpdump functionality. Security practitioners should consult these sources for specific remediation guidance.
Details
- CWE(s)