CVE-2025-56124
Summary
CVE-2025-56124 is a high-severity OS Command Injection vulnerability affecting Ruijie X60 PRO and EW1200 routers. This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the affected device via a crafted POST request, potentially leading to complete system compromise.
Technical Details
CVE-2025-56124 is an OS Command Injection vulnerability located in the /usr/local/lua/dev_sta/networkConnect.lua file of the Ruijie X60 PRO and EW1200 router firmware. The vulnerability stems from insufficient input validation when processing data received via a POST request to the module_get function. An attacker can inject malicious operating system commands into a vulnerable parameter within the POST request. When the router processes this request, the injected commands are executed with the privileges of the web server process, typically root. This allows the attacker to perform a wide range of actions, including modifying system configuration, installing malware, and exfiltrating sensitive data.
The specific vulnerable code path involves the concatenation of user-supplied input directly into a system command without proper sanitization or escaping. This allows an attacker to break out of the intended context and execute arbitrary commands. The lack of authentication required to trigger the vulnerability further exacerbates the risk.
Affected Products and Versions
The following Ruijie products and firmware versions are known to be affected by CVE-2025-56124:
- Ruijie X60 PRO with firmware version X60_10212014RG-X60 PRO V1.00/V2.00
- Ruijie EW1200 with firmware version 3.0(1)b11p301
Other versions of these products may also be affected. Users are advised to check with Ruijie for the latest security information.
Impact Assessment
Successful exploitation of CVE-2025-56124 can have severe consequences for affected users and organizations. The ability to execute arbitrary commands as root allows an attacker to completely compromise the affected router.
- Complete System Compromise: An attacker can gain full control of the router, allowing them to modify system settings, install malware, and monitor network traffic.
- Data Breach Risk: Sensitive data stored on the router or transmitted through it can be accessed and exfiltrated by the attacker. This includes usernames, passwords, and other confidential information.
- Network Disruption: The attacker can disrupt network services by modifying router configuration or launching denial-of-service attacks.
- Lateral Movement: A compromised router can be used as a stepping stone to attack other devices on the network.
Remediation
The most effective way to address CVE-2025-56124 is to apply the latest security patches released by Ruijie. Users should regularly check the Ruijie support website for updates.
Immediate Actions
- Apply Security Patches: Install the latest firmware updates provided by Ruijie as soon as they are available.
- Monitor Network Traffic: Monitor network traffic for suspicious activity, such as unusual outbound connections or attempts to access the vulnerable endpoint.
Long-term Solutions
- Implement Strong Authentication: Enforce strong authentication mechanisms for accessing the router's management interface.
- Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities.
- Network Segmentation: Segment the network to limit the impact of a potential compromise.
References
Detection & Scanning
This vulnerability can be detected by monitoring network traffic for suspicious POST requests to the /usr/local/lua/dev_sta/networkConnect.lua endpoint. Pay close attention to requests containing unusual characters or commands in the request parameters.
Scan Your Network
Secably AI Scanner can detect this and 50+ other vulnerabilities automatically.
Start Free ScanScan Your Website for Vulnerabilities
Discover security issues before attackers do. Our AI-powered scanner checks for the vulnerabilities discussed in this guide and more.
Start Free Scan