CVE-2025-56091
Published: 11 December 2025
Summary
CVE-2025-56091 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1800Gx Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the OS command injection vulnerability by requiring timely identification, reporting, and patching of the flaw in the /usr/local/lua/dev_config/config_retain.lua file.
Prevents command injection exploitation by enforcing validation of POST request inputs to the module_set function, blocking arbitrary OS command payloads.
Reduces remote network access (AV:N) to the vulnerable management endpoint on the Ruijie RG-EW1800GX device, limiting exploitation opportunities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote OS command injection via a web interface (POST request) on a network device, directly enabling exploitation of public-facing applications (T1190), network device CLI abuse (T1059.008), and exploitation of remote services for code execution (T1210).
NVD Description
OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
Deeper analysisAI
CVE-2025-56091 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-EW1800GX device running firmware version B11P226_EW1800GX_10223121. The flaw resides in the file /usr/local/lua/dev_config/config_retain.lua, where the module_set function processes POST requests insecurely, enabling attackers to inject and execute arbitrary operating system commands. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
Attackers with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By crafting a malicious POST request to the module_set endpoint, they can execute arbitrary commands on the underlying OS, potentially leading to full remote code execution, data exfiltration, system compromise, or further lateral movement within the network.
Advisories and detailed reports on this vulnerability, including potential mitigation guidance, are available in the referenced sources: https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6, https://1drv.ms/t/c/12406a392c92914b/EdiWfxSbC0pAu_oksKjm2xgBXSCavYBBJt8V51JkcH4Dsw?e=OhOVCN, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56091.md.
Details
- CWE(s)