CVE-2025-56088
Published: 11 December 2025
Summary
CVE-2025-56088 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Bcr860 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 48.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates OS command injection by requiring validation of untrusted inputs from crafted POST requests to the vulnerable endpoint.
Ensures timely remediation of the specific flaw in the LuCI controller, preventing exploitation through patching.
Limits the scope and impact of arbitrary command execution by enforcing least privilege on the vulnerable service process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via web endpoint enables remote service exploitation (T1210) and arbitrary command execution on network device CLI (T1059.008).
NVD Description
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_service in file /usr/lib/lua/luci/controller/admin/service.lua.
Deeper analysisAI
CVE-2025-56088 is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-BCR RG-BCR860 device. The flaw exists in the action_service endpoint within the file /usr/lib/lua/luci/controller/admin/service.lua, where a crafted POST request enables attackers to execute arbitrary operating system commands. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact.
The vulnerability can be exploited by attackers who possess low privileges, such as authenticated users with minimal administrative access, over the network without requiring user interaction. By sending a specially crafted POST request to the vulnerable endpoint, they can inject and execute arbitrary OS commands on the device, achieving high levels of confidentiality, integrity, and availability impact, which could result in full system compromise, data theft, or persistent access.
Detailed advisories, vulnerability reports, and potential mitigation steps, including patches, are documented in the following references: https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10, https://1drv.ms/t/c/12406a392c92914b/EQ5pK82-KmxKht6YgsEzaOsBzrC05Cael1vwpfM9ZxX97Q?e=qEgmtB, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56088.md.
Details
- CWE(s)