Cyber Resilience

CVE-2025-56101

HighPublic PoCRCE

Published: 11 December 2025

Published
11 December 2025
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 46.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56101 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie M18-Ew Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 46.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-56101, published on 2025-12-11, is an OS Command Injection vulnerability (CWE-78) in the Ruijie M18 device running firmware version EW_3.0(1)B11P226_M18_10223116. The issue affects the module_get function in the file /usr/local/lua/dev_sta/networkConnect.lua, where attackers can execute arbitrary commands through a crafted POST request. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant impacts across confidentiality, integrity, and availability.

Attackers with low privileges (PR:L), such as authenticated users, can exploit this over the network without requiring user interaction. By sending a specially crafted POST request to the vulnerable endpoint, they gain the ability to execute arbitrary operating system commands on the device, potentially leading to full compromise including data theft, modification, or disruption of services.

Advisories and detailed reports on mitigation, patches, or workarounds are referenced in the following sources: https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM, https://1drv.ms/t/c/12406a392c92914b/EbNlU_0K0v1Krzq7CaUWn0AB_yu3ICrdmwoVuS2txFGMhA?e=0gIUMh, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56101.md.

EU & UK References

Vulnerability details

OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The OS command injection vulnerability enables arbitrary command execution on a network device via remote exploitation (T1210) and abuse of network device CLI capabilities (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-56088Same vendor: Ruijie
CVE-2025-56130Same vendor: Ruijie
CVE-2025-56089Same product: Ruijie M18-Ew
CVE-2025-56097Same vendor: Ruijie
CVE-2025-56090Same product: Ruijie Rg-Ew1200R
CVE-2025-56091Same vendor: Ruijie
CVE-2025-56114Same product: Ruijie M18-Ew
CVE-2025-56084Same vendor: Ruijie
CVE-2025-56085Same vendor: Ruijie
CVE-2025-56087Same vendor: Ruijie

Affected Assets

ruijie
m18-ew firmware
3.0\(1\)b11p226
ruijie
rg-ew1200r firmware
ew_3.0\(1\)b11p301

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by validating and sanitizing crafted POST request inputs to the module_get function in /usr/local/lua/dev_sta/networkConnect.lua.

prevent

Requires timely patching of the command injection flaw in firmware EW_3.0(1)B11P226_M18_10223116 to eliminate arbitrary command execution capability.

prevent

Enforces least privilege on the process handling the vulnerable endpoint, limiting the impact and scope of any successfully injected OS commands.

References