CVE-2023-48849

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2023-48849 is a critical remote code execution vulnerability affecting Ruijie EG Series Routers. Unauthenticated attackers can execute arbitrary code on affected devices due to insufficient input filtering. Organizations using Ruijie EG routers with vulnerable firmware are at risk.

💻 Affected Systems

Products:

• Ruijie EG Series Routers

Versions: EG_3.0(1)B11P216 and earlier versions

Operating Systems: Ruijie proprietary router OS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations appear vulnerable. No special configuration required for exploitation.

📦 What is this software?

Rg Eg1000c Firmware by Ruijie

View all CVEs affecting Rg Eg1000c Firmware →

Rg Eg1000e Firmware by Ruijie

View all CVEs affecting Rg Eg1000e Firmware →

Rg Eg105g E Firmware by Ruijie

View all CVEs affecting Rg Eg105g E Firmware →

Rg Eg105g Firmware by Ruijie

View all CVEs affecting Rg Eg105g Firmware →

Rg Eg105g P Firmware by Ruijie

View all CVEs affecting Rg Eg105g P Firmware →

Rg Eg105g Pe Firmware by Ruijie

View all CVEs affecting Rg Eg105g Pe Firmware →

Rg Eg105g V2 Firmware by Ruijie

View all CVEs affecting Rg Eg105g V2 Firmware →

Rg Eg105gw X Firmware by Ruijie

View all CVEs affecting Rg Eg105gw X Firmware →

Rg Eg105gw\(t\) Firmware by Ruijie

View all CVEs affecting Rg Eg105gw\(t\) Firmware →

Rg Eg2000ce Firmware by Ruijie

View all CVEs affecting Rg Eg2000ce Firmware →

Rg Eg209gs Firmware by Ruijie

View all CVEs affecting Rg Eg209gs Firmware →

Rg Eg2100 P Firmware by Ruijie

View all CVEs affecting Rg Eg2100 P Firmware →

Rg Eg210g E Firmware by Ruijie

View all CVEs affecting Rg Eg210g E Firmware →

Rg Eg210g P Firmware by Ruijie

View all CVEs affecting Rg Eg210g P Firmware →

Rg Eg210g Pe Firmware by Ruijie

View all CVEs affecting Rg Eg210g Pe Firmware →

Rg Eg3000eu Firmware by Ruijie

View all CVEs affecting Rg Eg3000eu Firmware →

Rg Eg3000xe Firmware by Ruijie

View all CVEs affecting Rg Eg3000xe Firmware →

Rg Eg305gh P E Firmware by Ruijie

View all CVEs affecting Rg Eg305gh P E Firmware →

Rg Eg310gh E Firmware by Ruijie

View all CVEs affecting Rg Eg310gh E Firmware →

Rg Eg3230 Firmware by Ruijie

View all CVEs affecting Rg Eg3230 Firmware →

Rg Eg3250 Firmware by Ruijie

View all CVEs affecting Rg Eg3250 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with persistent backdoor installation, network traffic interception, lateral movement to internal systems, and data exfiltration.

🟠

Likely Case

Router takeover leading to network disruption, credential theft, and deployment of malware or botnet clients.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially only affecting isolated router management interface.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and unauthenticated exploitation makes this easily accessible to attackers.

🏢 Internal Only: MEDIUM - Internal routers could still be targeted via compromised internal hosts or phishing campaigns.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on GitHub. Simple HTTP request triggers the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Check Ruijie vendor website for firmware updates. If unavailable, implement workarounds immediately.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Ruijie routers from internet and restrict access to management interfaces

Access Control Lists

all

Implement strict firewall rules to limit access to router management interfaces

🧯 If You Can't Patch

• Immediately disconnect vulnerable routers from internet-facing networks
• Implement network monitoring for suspicious traffic to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Copy

Check router firmware version via web interface or CLI. If version is EG_3.0(1)B11P216 or earlier, device is vulnerable.

Check Version:

Copy

show version (via CLI) or check web interface System Information page

Verify Fix Applied:

Copy

No official fix available. Monitor for firmware updates from Ruijie vendor.

📡 Detection & Monitoring

Log Indicators:

• Unusual HTTP requests to router management interface
• Unexpected process execution in router logs
• Authentication bypass attempts

Network Indicators:

• Suspicious HTTP traffic to router management ports (typically 80/443)
• Unusual outbound connections from router

SIEM Query:

Copy

source_ip="router_ip" AND (http_method="POST" OR http_method="GET") AND uri_contains="/cgi-bin" AND status_code=200

📊 Metadata

CVE ID: CVE-2023-48849

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: December 6, 2023

Last Updated: November 21, 2024

🔗 References

• https://github.com/delsploit/CVE-2023-48849 Exploit,Third Party Advisory
• https://github.com/delsploit/CVE-2023-48849 Exploit,Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON