CVE-2025-9424
Published: 25 August 2025
Summary
CVE-2025-9424 is a low-severity Command Injection (CWE-77) vulnerability in Ruijie Ws7204-A Firmware. Its CVSS base score is 2.0 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
A vulnerability identified as CVE-2025-9424 affects the Ruijie WS7204-A wireless controller running firmware dated 2017.06.15. It resides in an unspecified function of the file /itbox_pi/branch_import.php when the script is invoked with the parameter a=branch_list. Unauthenticated manipulation of the province argument permits operating-system command injection, corresponding to CWE-77 and CWE-78. The flaw is remotely reachable and carries a CVSS 4.0 base score of 2.0 under the vector AV:N/AC:L/AT:N/PR:H/UI:N.
An authenticated administrator can supply crafted input to the province parameter and execute arbitrary operating-system commands on the device. Because a working exploit has already been published, an attacker with administrative credentials can obtain limited control over the controller’s operating environment, including the ability to read, modify, or delete selected data.
No vendor patch or mitigation guidance has been issued; the manufacturer was notified prior to disclosure but did not respond. Public references consist of a GitHub proof-of-concept and several Vuldb entries that document the issue.
The associated EPSS score has remained flat at 0.0112 since publication, indicating no measurable increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25762
Vulnerability details
A vulnerability was identified in Ruijie WS7204-A 2017.06.15. Affected by this vulnerability is an unknown functionality of the file /itbox_pi/branch_import.php?a=branch_list. Such manipulation of the argument province leads to os command injection. The attack can be executed remotely. The exploit is…
more
publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing web interface directly enables remote exploitation of the application (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input (province parameter) to block OS command injection in branch_import.php.
Enforces least privilege so that only accounts strictly needing the branch_list function can reach the vulnerable code path, limiting who can exploit it.
Restricts the web application to the minimum required OS commands and disables shell access from the PHP process, reducing the attack surface for command injection.