CVE-2025-56106
Published: 11 December 2025
Summary
CVE-2025-56106 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1800Gx Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by validating and sanitizing untrusted inputs in crafted POST requests to the module_set function in nbr_cwmp.lua.
Remediates the specific flaw in the /usr/local/lua/dev_sta/nbr_cwmp.lua file through timely patching or firmware updates for the Ruijie RG-EW1800GX device.
Limits damage from injected OS commands by enforcing least privilege on the process handling low-privileged remote access, reducing potential for full device compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via crafted POST request to web endpoint directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).
NVD Description
OS Command Injection vulnerability in Ruijie RG-EW1800GX B11P226_EW1800GX_10223121 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
Deeper analysisAI
CVE-2025-56106 is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1800GX device running firmware version B11P226_EW1800GX_10223121. The flaw exists in the module_set function within the file /usr/local/lua/dev_sta/nbr_cwmp.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-11T19:15:56.207.
Low-privileged remote attackers (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious POST request to the affected module_set endpoint, they can inject and execute arbitrary OS commands, achieving high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise.
Advisories and reports providing further details on mitigation, patches, or workarounds are available in the following references: https://1drv.ms/f/c/12406a392c92914b/EgUg1zJuaItDmLxZhkCg4B8BcJTRYnXyX4ePIIjNoZrRew?e=a23cK6, https://1drv.ms/t/c/12406a392c92914b/EcUP8SMciOVBgNEy31-OnnkBQRk_fUCDWUtdDX8UBfbXEA?e=FuQDPi, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56106.md.
Details
- CWE(s)