CVE-2025-56097
Published: 11 December 2025
Summary
CVE-2025-56097 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1800Gx Pro Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates OS command injection by requiring validation of crafted POST requests to the module_set function in config_retain.lua.
Requires timely remediation and patching of the specific flaw in the Ruijie firmware's Lua script to eliminate the vulnerability.
Enforces restrictions on information inputs to the vulnerable endpoint, blocking malicious payloads in POST requests that enable command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an OS command injection in a network device's web management interface (/usr/local/lua/...), exploitable remotely by low-privileged users via POST request, directly enabling exploitation of remote services (T1210) to achieve arbitrary command execution on the network device CLI (T1059.008).
NVD Description
OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
Deeper analysisAI
CVE-2025-56097 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-EW1800GX PRO device running firmware version B11P226_EW1800GX-PRO_10223117. The flaw resides in the module_set function within the file /usr/local/lua/dev_config/config_retain.lua, where attackers can inject and execute arbitrary operating system commands through a specially crafted POST request. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by low-privileged users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows attackers to execute arbitrary commands on the underlying operating system, potentially leading to full device compromise, including data theft, modification of configurations, or disruption of network services.
Mitigation details and additional technical reports are available in the referenced advisories, including the GitHub report at https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56097.md and OneDrive documents at https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi and https://1drv.ms/t/c/12406a392c92914b/EeVJ2woYmHVHn_C0Sy_iRZsB4yZQFJDXSBOwMSZW0KXJrQ?e=VVGxWb. Security practitioners should consult these for vendor-recommended patches or workarounds.
Details
- CWE(s)