Cyber Resilience

CVE-2025-56090

HighPublic PoCRCE

Published: 11 December 2025

Published
11 December 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56090 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1200G Pro. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-56090 is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1200G PRO router across firmware versions V1.00, V2.00, V3.00, and V4.00. The issue affects the module_set function in the file /usr/local/lua/dev_config/config_retain.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability can be exploited remotely over the network by attackers with low privileges, such as authenticated users, requiring low attack complexity and no user interaction. Successful exploitation allows arbitrary command execution on the underlying operating system, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to full device compromise, data theft, or further network pivoting.

Mitigation details and additional technical reports are documented in the following references: https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62, https://1drv.ms/t/c/12406a392c92914b/EfSHWqE3N11FpgQsV1BlZk0BxXIhFQjIp_xmJYIq1APvrw?e=JCIm6k, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56090.md. Security practitioners should consult these for patch availability, workarounds, or proof-of-concept details.

EU & UK References

Vulnerability details

OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection vulnerability enables exploitation of remote services (T1210) for arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-56084Same vendor: Ruijie
CVE-2025-56089Same vendor: Ruijie
CVE-2025-56095Same product: Ruijie Rg-Ew1200G Pro
CVE-2025-56101Same product: Ruijie Rg-Ew1200R
CVE-2025-56083Same vendor: Ruijie
CVE-2025-56123Same product: Ruijie Rg-Ew1200G Pro
CVE-2025-56113Same vendor: Ruijie
CVE-2025-56099Same vendor: Ruijie
CVE-2025-56110Same vendor: Ruijie
CVE-2025-56092Same vendor: Ruijie

Affected Assets

ruijie
rg-ew1200g pro firmware
all versions
ruijie
rg-ew1200r firmware
ew_3.0\(1\)b11p301

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates OS command injection by requiring validation of crafted POST request inputs to the module_set function in config_retain.lua, preventing arbitrary command execution.

prevent

Requires timely remediation of the specific flaw in affected firmware versions V1.00 through V4.00 to eliminate the command injection vulnerability.

detectrespond

Enables scanning for and remediation of CVE-2025-56090 in vulnerable Ruijie router firmware, addressing exploitation risks across multiple versions.

References