CVE-2025-56123
Published: 11 December 2025
Summary
CVE-2025-56123 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Ew1200G Pro. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the OS command injection flaw in the module_get function of networkConnect.lua by applying vendor patches or updates.
Prevents arbitrary command execution by validating and sanitizing crafted POST request inputs to the vulnerable Lua script.
Restricts input at the web interface to safe formats and lengths, blocking injection payloads targeting the networkConnect.lua module.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an OS command injection in a public-facing web interface on a network device (router), enabling exploitation of a public-facing application (T1190) and arbitrary command execution via network device CLI-like capabilities (T1059.008).
NVD Description
OS Command Injection vulnerability in Ruijie RG-EW1200G PRO RG-EW1200G PRO V1.00/V2.00/V3.00/V4.00 allowing attackers to execute arbitrary commands via a crafted POST request to the module_get in file /usr/local/lua/dev_sta/networkConnect.lua.
Deeper analysisAI
CVE-2025-56123, published on 2025-12-11, is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-EW1200G PRO router across firmware versions V1.00, V2.00, V3.00, and V4.00. The issue affects the module_get function in the file /usr/local/lua/dev_sta/networkConnect.lua, where attackers can execute arbitrary operating system commands by sending a crafted POST request.
With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable over the network with low attack complexity and no user interaction. It requires low privileges (PR:L), such as those held by an authenticated user, allowing remote attackers to achieve high impacts on confidentiality, integrity, and availability through arbitrary command execution.
Advisories and reports on mitigation are available in the provided references, including https://1drv.ms/f/c/12406a392c92914b/EkH0xWseMXBJg-Ck_uD34fcB-3pDo3MAQc2AKNlXqwYr2w?e=GU9l62, https://1drv.ms/t/c/12406a392c92914b/ERjNMNZRBD5HoYydt7Kb3kwBT4ycJXROxTsVBB-WXXqH6Q?e=q8Lcd2, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56123.md.
Details
- CWE(s)