Cyber Posture

CVE-2025-56096

HighRCE

Published: 11 December 2025

Published
11 December 2025
Modified
26 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 38.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56096 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Bcr600W Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of crafted POST request inputs to the restart_modules function, directly preventing OS command injection exploitation.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and remediation of the flaw in /usr/lib/lua/luci/controller/admin/common.lua, patching the vulnerability per advisories.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to restrict access to the vulnerable restart_modules endpoint beyond low-privilege authenticated users.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The OS Command Injection vulnerability in the web admin interface (LuCI controller) enables exploitation of a public-facing application (T1190) via crafted POST requests, facilitating arbitrary Unix shell command execution (T1059.004) on the device.

NVD Description

OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the restart_modules in file /usr/lib/lua/luci/controller/admin/common.lua.

Deeper analysisAI

CVE-2025-56096 is an OS Command Injection vulnerability (CWE-78) affecting Ruijie RG-BCR and RG-BCR600W devices. Published on 2025-12-11, the flaw exists in the restart_modules function within the file /usr/lib/lua/luci/controller/admin/common.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and the need for low privileges such as an authenticated user account. Exploitation requires no user interaction and has no impact on scope, but successful attacks enable high-impact compromise of confidentiality, integrity, and availability, including arbitrary command execution on the device.

Advisories providing further details on mitigation and patches are available at the following references: https://1drv.ms/f/c/12406a392c92914b/Evvem8Mw6SlNh-ZJpY_9SAsBq2iDi88TFdFdA1Am3PdfCQ?e=YeLYxb, https://1drv.ms/t/c/12406a392c92914b/EQ8FKwFLNjBLlL9hyg_YkUoBdsj_FcNtQsjdmKQ5M4-10A?e=bFC7Jg, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56096.md.

Details

CWE(s)
CWE-78

Affected Products

ruijie
rg-bcr600w firmware
all versions

CVEs Like This One

CVE-2025-56107Same product: Ruijie Rg-Bcr600W
CVE-2025-56082Same product: Ruijie Rg-Bcr600W
CVE-2025-56127Same product: Ruijie Rg-Bcr600W
CVE-2025-56087Same product: Ruijie Rg-Bcr600W
CVE-2025-56086Same vendor: Ruijie
CVE-2025-56095Same vendor: Ruijie
CVE-2025-56106Same vendor: Ruijie
CVE-2025-56117Same vendor: Ruijie
CVE-2025-56092Same vendor: Ruijie
CVE-2025-56114Same vendor: Ruijie

References