CVE-2025-56095
Published: 11 December 2025
Summary
CVE-2025-56095 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1200G Pro. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the OS command injection flaw in the module_set function of /usr/local/lua/dev_sta/nbr_cwmp.lua by identifying, reporting, and correcting the vulnerability in affected firmware versions.
Requires validation of information inputs such as POST request parameters to prevent crafted payloads from injecting and executing arbitrary OS commands.
Restricts inputs to the vulnerable endpoint to organization-defined safe types, blocking malicious POST requests that enable command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via crafted POST request to web management interface enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).
NVD Description
OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
Deeper analysisAI
CVE-2025-56095 is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1200G PRO device across firmware versions V1.00, V2.00, V3.00, and V4.00. The issue affects the module_set function in the file /usr/local/lua/dev_sta/nbr_cwmp.lua, where attackers can execute arbitrary commands through a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.
Remote attackers with low privileges can exploit this vulnerability by sending a specially crafted POST request to the vulnerable endpoint. No user interaction is required, enabling straightforward exploitation over the network. Successful attacks allow arbitrary OS command execution on the device, potentially leading to full remote code execution, data compromise, system modification, or denial of service.
Mitigation details and additional technical analysis are available in the following advisories and reports: https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62, https://1drv.ms/t/c/12406a392c92914b/EQgGsVREbAJEv4dCG7LAzoYBUiS4nCjWKun_QhenDHzU0Q?e=Ly0lll, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56095.md.
Details
- CWE(s)