Cyber Resilience

CVE-2025-56110

HighPublic PoCRCE

Published: 11 December 2025

Published
11 December 2025
Modified
26 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0109 78.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56110 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Bcr860 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-56110 is an OS Command Injection vulnerability (CWE-78) in Ruijie RG-BCR and RG-BCR860 devices. The issue exists in the action_deal_update function within the file /usr/lib/lua/luci/controller/api/rcmsAPI.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and significant impacts.

The vulnerability can be exploited by low-privileged attackers (PR:L) over the network with low attack complexity and no user interaction required. By crafting a malicious POST request to the vulnerable endpoint, such attackers can inject and execute arbitrary OS commands, potentially leading to remote code execution with high confidentiality, integrity, and availability impacts on the affected device.

Mitigation details are outlined in the referenced advisories, including vulnerability reports at https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56110.md and supporting documents at https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10, https://1drv.ms/t/c/12406a392c92914b/EWK5h1b7Ig1Pt-jdTSQ6t5wBYIbKPHujlBimUpdYNVR-6A?e=eQRXef. Security practitioners should consult these for patch availability and workaround guidance specific to Ruijie RG-BCR series devices.

EU & UK References

Vulnerability details

OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_deal_update in file /usr/lib/lua/luci/controller/api/rcmsAPI.lua.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection via crafted POST to web API on network device enables exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-56111Same product: Ruijie Rg-Bcr860
CVE-2025-56129Same product: Ruijie Rg-Bcr860
CVE-2025-56109Same product: Ruijie Rg-Bcr860
CVE-2025-56088Same product: Ruijie Rg-Bcr860
CVE-2025-56099Same vendor: Ruijie
CVE-2025-56092Same vendor: Ruijie
CVE-2025-56086Same vendor: Ruijie
CVE-2025-56079Same vendor: Ruijie
CVE-2025-56093Same vendor: Ruijie
CVE-2025-56095Same vendor: Ruijie

Affected Assets

ruijie
rg-bcr860 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 enforces validation of information inputs to the action_deal_update function, directly preventing crafted POST requests from injecting and executing arbitrary OS commands.

prevent

SI-2 requires timely remediation of the specific OS command injection flaw in /usr/lib/lua/luci/controller/api/rcmsAPI.lua through vendor patches.

preventdetect

SC-7 provides boundary protection at network interfaces to monitor and block malicious POST requests exploiting the vulnerable rcmsAPI.lua endpoint.

References