CVE-2025-56122
Published: 11 December 2025
Summary
CVE-2025-56122 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1800Gx Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of untrusted inputs like crafted POST requests to prevent OS command injection in the Lua script.
Ensures timely remediation of known flaws such as this command injection vulnerability through patching the affected firmware version.
Limits potential damage from command injection by enforcing least privilege on low-privilege accounts accessing the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via crafted POST to web interface (/usr/local/lua/dev_sta/networkConnect.lua) on network device enables exploitation of public-facing application for arbitrary command execution on the device CLI.
NVD Description
OS Command Injection vulnerability in Ruijie RG-EW1800GX PRO B11P226_EW1800GX-PRO_10223117 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
Deeper analysisAI
CVE-2025-56122, published on 2025-12-11, is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1800GX PRO device running firmware version B11P226_EW1800GX-PRO_10223117. The issue affects the module_get function in the file /usr/local/lua/dev_sta/networkConnect.lua, enabling attackers to execute arbitrary operating system commands through a crafted POST request.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and exploitation requiring only low privileges without user interaction or scope changes. Attackers with such privileges can remotely inject and execute commands, resulting in high impacts to confidentiality, integrity, and availability, potentially allowing full device compromise.
Advisories and detailed reports on this vulnerability, including potential mitigations and patches, are available in the referenced sources: https://1drv.ms/f/c/12406a392c92914b/Eohr-0awt6VAuiLCNhCG0rgBLQip6nJpl-9Hy0OqB4MvFg?e=DIfBxi, https://1drv.ms/t/c/12406a392c92914b/EZOBtzLwlmBKschv6sxT_LcBBKnMP_OXO7d24321UD8x8g?e=Dpui5j, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56122.md.
Details
- CWE(s)