CVE-2025-56118
Published: 11 December 2025
Summary
CVE-2025-56118 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-X60 Pro. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the OS command injection flaw in the module_set function of /usr/local/lua/dev_sta/nbr_cwmp.lua by identifying, patching, and verifying fixes.
Prevents exploitation by enforcing input validation mechanisms on crafted POST requests to the vulnerable module_set endpoint.
Limits damage from successful command injection by enforcing least privilege on low-privilege (PR:L) accounts accessing the affected Lua function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS Command Injection via crafted POST request enables remote exploitation of a public-facing application (T1190) and arbitrary command execution on the network device CLI (T1059.008).
NVD Description
OS Command Injection vulnerability in Ruijie X60 PRO X60_10212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_set in file /usr/local/lua/dev_sta/nbr_cwmp.lua.
Deeper analysisAI
CVE-2025-56118 is an OS command injection vulnerability (CWE-78) affecting Ruijie X60 PRO devices, specifically model X60_10212014RG-X60 PRO in versions V1.00 and V2.00. The flaw resides in the module_set function within the file /usr/local/lua/dev_sta/nbr_cwmp.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request. The vulnerability received a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-11T19:15:57.270.
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and without user interaction (UI:N). Successful exploitation allows arbitrary command execution on the underlying OS, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U). This enables remote code execution, potentially leading to full device compromise.
Advisories and detailed reports on this vulnerability, including potential mitigation guidance, are available in the following references: https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh, https://1drv.ms/t/c/12406a392c92914b/EV2jr71QaoFBjf3SLQcUA6sBcmzSsyx2jJ_XY7yOBk_Sjg?e=WOY7Wd, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56118.md.
Details
- CWE(s)