CVE-2025-56101

HighPublic PoCRCE

Published: 11 December 2025

Published

11 December 2025

Modified

27 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 42.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56101 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie M18-Ew Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Network Device CLI (T1059.008) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating and sanitizing crafted POST request inputs to the module_get function in /usr/local/lua/dev_sta/networkConnect.lua.

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the command injection flaw in firmware EW_3.0(1)B11P226_M18_10223116 to eliminate arbitrary command execution capability.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the process handling the vulnerable endpoint, limiting the impact and scope of any successfully injected OS commands.

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The OS command injection vulnerability enables arbitrary command execution on a network device via remote exploitation (T1210) and abuse of network device CLI capabilities (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.

Deeper analysisAI

CVE-2025-56101, published on 2025-12-11, is an OS Command Injection vulnerability (CWE-78) in the Ruijie M18 device running firmware version EW_3.0(1)B11P226_M18_10223116. The issue affects the module_get function in the file /usr/local/lua/dev_sta/networkConnect.lua, where attackers can execute arbitrary commands through a crafted POST request. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant impacts across confidentiality, integrity, and availability.

Attackers with low privileges (PR:L), such as authenticated users, can exploit this over the network without requiring user interaction. By sending a specially crafted POST request to the vulnerable endpoint, they gain the ability to execute arbitrary operating system commands on the device, potentially leading to full compromise including data theft, modification, or disruption of services.

Advisories and detailed reports on mitigation, patches, or workarounds are referenced in the following sources: https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM, https://1drv.ms/t/c/12406a392c92914b/EbNlU_0K0v1Krzq7CaUWn0AB_yu3ICrdmwoVuS2txFGMhA?e=0gIUMh, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56101.md.

Details

CWE(s): CWE-78

Affected Products

ruijie

m18-ew firmware

3.0\(1\)b11p226

ruijie

rg-ew1200r firmware

ew_3.0\(1\)b11p301

CVEs Like This One

CVE-2025-56089Same product: Ruijie M18-Ew

CVE-2025-56090Same product: Ruijie Rg-Ew1200R

CVE-2025-56088Same vendor: Ruijie

CVE-2025-56130Same vendor: Ruijie

CVE-2025-56097Same vendor: Ruijie

CVE-2025-56091Same vendor: Ruijie

CVE-2025-56114Same product: Ruijie M18-Ew

CVE-2025-56122Same vendor: Ruijie

CVE-2025-56084Same vendor: Ruijie

CVE-2025-56085Same vendor: Ruijie

References

https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM
Broken Link · cve@mitre.org
https://1drv.ms/t/c/12406a392c92914b/EbNlU_0K0v1Krzq7CaUWn0AB_yu3ICrdmwoVuS2txFGMhA?e=0gIUMh
Broken Link · cve@mitre.org
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56101.md
Exploit, Third Party Advisory · cve@mitre.org