CVE-2025-56093

HighPublic PoCRCE

Published: 11 December 2025

Published

11 December 2025

Modified

27 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0050 66.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56093 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie X30 Pro Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires information input validation at entry points like the setWisp POST endpoint, directly preventing OS command injection from crafted requests.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of flaws such as the command injection in wireless.lua, enabling patching of this specific CVE.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict low-privilege (PR:L) users from accessing the vulnerable setWisp function in the web interface.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Vulnerability enables exploitation of public-facing web application via crafted POST request (T1190), resulting in arbitrary OS command injection on Linux-based device (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V1_09241521 allowing attackers to execute arbitrary commands via a crafted POST request to the setWisp in file /usr/lib/lua/luci/modules/wireless.lua.

Deeper analysisAI

CVE-2025-56093 is an OS command injection vulnerability (CWE-78) affecting the Ruijie X30-PRO device, specifically version X30-PRO-V1_09241521. The flaw resides in the setWisp function within the file /usr/lib/lua/luci/modules/wireless.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Exploitation requires low privileges, such as those held by an authenticated user with network access to the device. An attacker can remotely trigger the vulnerability with low complexity and no user interaction, achieving arbitrary command execution on the underlying operating system. This grants high-level control over the device, potentially enabling full compromise, data exfiltration, persistence, or further lateral movement within a network.

Advisories and detailed reports, including vulnerability analyses for this and related Ruijie device flaws, are available in the referenced GitHub repositories from flegoity and associated OneDrive documents. Practitioners should consult these sources for vendor-specific guidance on patches, workarounds, or configuration changes to mitigate exposure.

Details

CWE(s): CWE-78

Affected Products

ruijie

x30 pro firmware

all versions

ruijie

rg-ew300 pro firmware

3.0\(1\)b11p219

ruijie

rg-eap602 firmware

3.0\(1\)b2p55

CVEs Like This One

CVE-2025-56098Same product: Ruijie Rg-Ew300 Pro

CVE-2025-56094Same product: Ruijie Rg-Ew300 Pro

CVE-2025-56108Same product: Ruijie Rg-Eap602

CVE-2025-56095Same product: Ruijie Rg-Eap602

CVE-2025-56117Same product: Ruijie X30 Pro

CVE-2025-56092Same product: Ruijie X30 Pro

CVE-2025-56099Same product: Ruijie Rg-Eap602

CVE-2025-56083Same product: Ruijie Rg-Eap602

CVE-2025-56086Same vendor: Ruijie

CVE-2025-56106Same vendor: Ruijie

References

https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY
Product, Broken Link · cve@mitre.org
https://1drv.ms/t/c/12406a392c92914b/Edoz9sBTjeJMqw8K0f3lWgMBNxBlpE9IIUwOX2h2S1cMhw?e=46VlOq
Third Party Advisory, Broken Link · cve@mitre.org
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56092.md
Not Applicable · cve@mitre.org
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56093.md
Exploit, Third Party Advisory · cve@mitre.org