Cyber Resilience

CVE-2025-56089

HighPublic PoCRCE

Published: 11 December 2025

Published
11 December 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0067 72.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56089 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie M18-Ew Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 28.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-56089 is an OS Command Injection vulnerability (CWE-78) in the Ruijie M18 device running firmware version EW_3.0(1)B11P226_M18_10223116. The issue affects the module_set function in the file /usr/local/lua/dev_sta/nbr_cwmp.lua, enabling attackers to execute arbitrary operating system commands by sending a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting a malicious POST request to the vulnerable endpoint, they can inject and execute arbitrary OS commands, potentially achieving full control over the device, including data exfiltration, modification, or disruption of services.

Mitigation details and advisories are documented in the following references: https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM, https://1drv.ms/t/c/12406a392c92914b/Ea56irtVj4dNs59Pzz7fkiIBQeVLjDcMDEXC2FpCQydIZQ?e=70gcOe, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56089.md. Security practitioners should review these for patch availability or workarounds specific to Ruijie M18 deployments.

EU & UK References

Vulnerability details

OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The OS command injection vulnerability directly enables arbitrary Unix shell command execution (T1059.004) via crafted POST requests and represents exploitation of a remote service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-56084Same vendor: Ruijie
CVE-2025-56090Same vendor: Ruijie
CVE-2025-56114Same product: Ruijie M18-Ew
CVE-2025-56101Same product: Ruijie M18-Ew
CVE-2025-56083Same vendor: Ruijie
CVE-2025-56113Same vendor: Ruijie
CVE-2025-56099Same vendor: Ruijie
CVE-2025-56110Same vendor: Ruijie
CVE-2025-56092Same vendor: Ruijie
CVE-2025-56108Same vendor: Ruijie

Affected Assets

ruijie
m18-ew firmware
3.0\(1\)b11p226
ruijie
rg-ew300g pro firmware
ew_3.0\(1\)b11p219

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents OS command injection by validating crafted POST request inputs to the module_set function in nbr_cwmp.lua against expected formats and content.

prevent

SI-2 remediates the specific flaw in the Ruijie M18 firmware by identifying, reporting, and correcting the command injection vulnerability via patching.

prevent

SI-9 restricts malicious inputs in POST requests to the vulnerable endpoint, blocking arbitrary OS command payloads before execution.

References