CVE-2025-56129
Published: 11 December 2025
Summary
CVE-2025-56129 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Bcr860 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 20.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates OS command injection by enforcing validation and sanitization of crafted POST requests to the action_diagnosis function.
Remediates the specific flaw in /usr/lib/lua/luci/controller/admin/diagnosis.lua through timely patching or code correction.
Eliminates the vulnerable diagnosis functionality if non-essential, preventing exploitation of the command injection endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via crafted POST request to web interface enables exploitation of public-facing application (T1190) for initial access and arbitrary command execution on network device CLI (T1059.008).
NVD Description
OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR860 allowing attackers to execute arbitrary commands via a crafted POST request to the action_diagnosis in file /usr/lib/lua/luci/controller/admin/diagnosis.lua.
Deeper analysisAI
CVE-2025-56129, published on 2025-12-11, is an OS Command Injection vulnerability (CWE-78) in the Ruijie RG-BCR series, specifically the RG-BCR860 model. The issue affects the file /usr/lib/lua/luci/controller/admin/diagnosis.lua, where the action_diagnosis function fails to properly sanitize crafted POST requests, enabling attackers to inject and execute arbitrary operating system commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Attackers require low privileges, such as those of an authenticated user (PR:L), to exploit the vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By sending a specially crafted POST request to the vulnerable endpoint, they can achieve remote code execution, compromising confidentiality, integrity, and availability at a high level (C:H/I:H/A:H).
Advisories and detailed reports on mitigation, including potential patches, are available in the CVE references: https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10, https://1drv.ms/t/c/12406a392c92914b/EaJ2e_mzgltOiHqb4t8xIvgBoT2CYEP0nrhZd7IYlCHSPQ?e=miUrrL, and https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56129.md.
Details
- CWE(s)