CVE-2025-56130
Published: 11 December 2025
Summary
CVE-2025-56130 is a high-severity OS Command Injection (CWE-78) vulnerability in Ruijie Rg-Nbs5100-24Gt4Sfp Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 23.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-56130 by requiring timely patching or upgrading of the vulnerable S1930SWITCH_3.0(1)B11P230 firmware to eliminate the OS command injection flaw.
Prevents exploitation of CVE-2025-56130 by validating and sanitizing POST request inputs to the module_update function in /usr/local/lua/dev_config/ace_sw.lua, blocking arbitrary OS command injection.
Limits the attack surface for CVE-2025-56130 by restricting access to the vulnerable module_update endpoint to only authorized personnel or roles beyond basic low-privilege users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via crafted POST request enables arbitrary command execution on the network device (T1059.008: Network Device CLI) and exploitation of the remote web service (T1210: Exploitation of Remote Services).
NVD Description
OS Command Injection vulnerability in Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 allowing attackers to execute arbitrary commands via a crafted POST request to the module_update in file /usr/local/lua/dev_config/ace_sw.lua.
Deeper analysisAI
CVE-2025-56130 is an OS command injection vulnerability (CWE-78) affecting the Ruijie RG-S1930 switch running version S1930SWITCH_3.0(1)B11P230. The flaw resides in the module_update function within the file /usr/local/lua/dev_config/ace_sw.lua, where attackers can inject and execute arbitrary operating system commands through a specially crafted POST request. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for significant impact on confidentiality, integrity, and availability.
Exploitation requires low privileges (PR:L), such as those held by an authenticated user with access to the affected interface. An attacker can remotely send a malicious POST request to the vulnerable endpoint over the network without user interaction, achieving arbitrary command execution on the underlying OS. This grants high-level compromise, enabling data exfiltration, modification of system files, service disruption, or full device takeover.
Mitigation guidance and additional details are available in vendor and researcher advisories, including the report at https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56130.md and supporting documents at https://1drv.ms/f/c/12406a392c92914b/EpWU9cQdd5RNszcYlTj2cGsBfiClkCwF0zCsLNYer2VIZA?e=ANIgPM. The CVE was published on 2025-12-11.
Details
- CWE(s)