CVE-2025-56114
Published: 11 December 2025
Summary
CVE-2025-56114 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1300G Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient input validation in module_set that enables OS command injection via crafted POST requests.
Requires timely identification, reporting, and patching of the specific flaw in the Ruijie M18 firmware to remediate the vulnerability.
Restricts and scans inserted information such as POST request parameters to block malicious command payloads before processing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of a public-facing web application via crafted POST request for arbitrary OS command injection on a Unix-like system.
NVD Description
OS Command Injection vulnerability in Ruijie M18 EW_3.0(1)B11P226_M18_10223116 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_config/config_retain.lua.
Deeper analysisAI
CVE-2025-56114 is an OS Command Injection vulnerability (CWE-78) affecting the Ruijie M18 device running firmware version EW_3.0(1)B11P226_M18_10223116. The flaw resides in the module_set function within the file /usr/local/lua/dev_config/config_retain.lua, where insufficient input validation allows attackers to inject and execute arbitrary operating system commands through a specially crafted POST request. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for significant impact.
An attacker with low privileges (PR:L), such as an authenticated user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending a malicious POST request to the vulnerable endpoint, the attacker can execute arbitrary commands on the underlying operating system, potentially leading to full system compromise with high impacts on confidentiality, integrity, and availability.
Mitigation details and further technical analysis are documented in vendor advisories and independent reports available at the following references: https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM, https://1drv.ms/t/c/12406a392c92914b/EWfEhLkTSblOur72XhaQ7W4BsxQ1IWXZ-Wkcv9WC7AYb-g?e=LpMdqT, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56114.md. Security practitioners should consult these for patch availability, workaround guidance, and affected version confirmation.
Details
- CWE(s)