CVE-2025-56110
Published: 11 December 2025
Summary
CVE-2025-56110 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Bcr860 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 enforces validation of information inputs to the action_deal_update function, directly preventing crafted POST requests from injecting and executing arbitrary OS commands.
SI-2 requires timely remediation of the specific OS command injection flaw in /usr/lib/lua/luci/controller/api/rcmsAPI.lua through vendor patches.
SC-7 provides boundary protection at network interfaces to monitor and block malicious POST requests exploiting the vulnerable rcmsAPI.lua endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via crafted POST to web API on network device enables exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004).
NVD Description
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_deal_update in file /usr/lib/lua/luci/controller/api/rcmsAPI.lua.
Deeper analysisAI
CVE-2025-56110 is an OS Command Injection vulnerability (CWE-78) in Ruijie RG-BCR and RG-BCR860 devices. The issue exists in the action_deal_update function within the file /usr/lib/lua/luci/controller/api/rcmsAPI.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. Published on 2025-12-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and significant impacts.
The vulnerability can be exploited by low-privileged attackers (PR:L) over the network with low attack complexity and no user interaction required. By crafting a malicious POST request to the vulnerable endpoint, such attackers can inject and execute arbitrary OS commands, potentially leading to remote code execution with high confidentiality, integrity, and availability impacts on the affected device.
Mitigation details are outlined in the referenced advisories, including vulnerability reports at https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56110.md and supporting documents at https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10, https://1drv.ms/t/c/12406a392c92914b/EWK5h1b7Ig1Pt-jdTSQ6t5wBYIbKPHujlBimUpdYNVR-6A?e=eQRXef. Security practitioners should consult these for patch availability and workaround guidance specific to Ruijie RG-BCR series devices.
Details
- CWE(s)