CVE-2025-56130

|
CVE-2025-56130 vulnerability security high severity CVE database OS Command Injection Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230 reyee_os arbitrary command execution network switch firmware vulnerability

Summary

CVE-2025-56130 is a high-severity OS Command Injection vulnerability affecting Ruijie RG-S1930 switches. Successful exploitation allows attackers to execute arbitrary commands on the affected device via a crafted POST request.

Technical Details

CVE-2025-56130 is an OS Command Injection vulnerability present in the Ruijie RG-S1930 switch firmware. The vulnerability resides in the module_update function within the /usr/local/lua/dev_config/ace_sw.lua file. An attacker can exploit this vulnerability by sending a specially crafted POST request to this function. The lack of proper input sanitization allows the attacker to inject and execute arbitrary operating system commands on the underlying system. This allows for complete control of the device.

The vulnerability stems from the improper handling of user-supplied input within the module_update function. Specifically, the code fails to adequately sanitize or validate data received through the POST request before using it in a system call. This allows an attacker to inject malicious commands into the system call, leading to arbitrary command execution with the privileges of the web server process.

Affected Products and Versions

  • Ruijie RG-S1930 S1930SWITCH_3.0(1)B11P230
  • Ruijie Reyee OS

Impact Assessment

Successful exploitation of CVE-2025-56130 can have severe consequences. An attacker can gain complete control over the affected Ruijie RG-S1930 switch.

  • Complete System Compromise: Attackers can execute arbitrary commands with root privileges, allowing them to modify system configurations, install malware, and potentially pivot to other devices on the network.
  • Data Breach Risk: Sensitive data stored on the switch or passing through it could be compromised.
  • Denial of Service: Attackers can disrupt network services by crashing the switch or altering its configuration.
  • Network Disruption: Compromised switches can be used to launch attacks against other network devices or external targets.

Remediation

Immediate Actions

  • Apply the Security Patch: Ruijie has released a security patch to address this vulnerability. Immediately apply the patch to all affected RG-S1930 switches. Contact Ruijie support for the latest firmware updates.
  • Monitor Network Traffic: Monitor network traffic for suspicious activity, such as unusual POST requests to the /usr/local/lua/dev_config/ace_sw.lua endpoint.
  • Restrict Access: Limit access to the switch's web interface to authorized personnel only.

Long-term Solutions

  • Implement Input Validation: Ensure that all user-supplied input is properly validated and sanitized before being used in system calls.
  • Regular Security Audits: Conduct regular security audits of network devices to identify and address potential vulnerabilities.
  • Keep Firmware Updated: Stay informed about security updates and promptly apply them to all network devices.

References

Detection & Scanning

This vulnerability can be detected by analyzing network traffic for suspicious POST requests to the /usr/local/lua/dev_config/ace_sw.lua endpoint. Pay close attention to the content of the POST request body, looking for signs of command injection attempts. Vulnerability scanners can also be used to identify vulnerable devices.

Scan Your Network

Secably AI Scanner can detect this and 50+ other vulnerabilities automatically, helping you secure your network infrastructure.

Start Free Scan

Scan Your Website for Vulnerabilities

Discover security issues before attackers do. Our AI-powered scanner checks for the vulnerabilities discussed in this guide and more.

Start Free Scan