Cyber Resilience

CVE-2025-9424

LowPublic PoC

Published: 25 August 2025

Published
25 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0122 79.5th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9424 is a low-severity Command Injection (CWE-77) vulnerability in Ruijie Ws7204-A Firmware. Its CVSS base score is 2.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

A vulnerability identified as CVE-2025-9424 affects the Ruijie WS7204-A wireless controller running firmware dated 2017.06.15. It resides in an unspecified function of the file /itbox_pi/branch_import.php when the script is invoked with the parameter a=branch_list. Unauthenticated manipulation of the province argument permits operating-system command injection, corresponding to CWE-77 and CWE-78. The flaw is remotely reachable and carries a CVSS 4.0 base score of 2.0 under the vector AV:N/AC:L/AT:N/PR:H/UI:N.

An authenticated administrator can supply crafted input to the province parameter and execute arbitrary operating-system commands on the device. Because a working exploit has already been published, an attacker with administrative credentials can obtain limited control over the controller’s operating environment, including the ability to read, modify, or delete selected data.

No vendor patch or mitigation guidance has been issued; the manufacturer was notified prior to disclosure but did not respond. Public references consist of a GitHub proof-of-concept and several Vuldb entries that document the issue.

The associated EPSS score has remained flat at 0.0112 since publication, indicating no measurable increase in observed exploitation interest.

EU & UK References

Vulnerability details

A vulnerability was identified in Ruijie WS7204-A 2017.06.15. Affected by this vulnerability is an unknown functionality of the file /itbox_pi/branch_import.php?a=branch_list. Such manipulation of the argument province leads to os command injection. The attack can be executed remotely. The exploit is…

more

publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in public-facing web interface directly enables remote exploitation of the application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-56092Same vendor: Ruijie
CVE-2025-56079Same vendor: Ruijie
CVE-2025-56095Same vendor: Ruijie
CVE-2025-56114Same vendor: Ruijie
CVE-2025-56099Same vendor: Ruijie
CVE-2025-56110Same vendor: Ruijie
CVE-2025-56096Same vendor: Ruijie
CVE-2025-56106Same vendor: Ruijie
CVE-2025-56086Same vendor: Ruijie
CVE-2025-56093Same vendor: Ruijie

Affected Assets

ruijie
ws7204-a firmware
2017.06.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input (province parameter) to block OS command injection in branch_import.php.

prevent

Enforces least privilege so that only accounts strictly needing the branch_list function can reach the vulnerable code path, limiting who can exploit it.

prevent

Restricts the web application to the minimum required OS commands and disables shell access from the PHP process, reducing the attack surface for command injection.

References