CVE-2023-7330
📋 TL;DR
Ruijie NBR series routers have an unauthenticated arbitrary file upload vulnerability in the /ddi/server/fileupload.php endpoint. Attackers can upload malicious PHP files without authentication and execute arbitrary code on the device. This affects all Ruijie NBR router deployments with the vulnerable firmware.
💻 Affected Systems
- Ruijie NBR series routers
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the router, allowing attackers to intercept all network traffic, pivot to internal networks, install persistent backdoors, and disrupt network operations.
Likely Case
Attackers upload web shells to gain remote code execution, steal credentials, modify router configurations, and use the device as a foothold for further attacks.
If Mitigated
If proper network segmentation and access controls are in place, impact may be limited to the router itself without lateral movement to other systems.
🎯 Exploit Status
Exploitation evidence observed in the wild by Shadowserver Foundation. Multiple public proof-of-concept scripts and Nuclei templates available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not publicly available
Vendor Advisory: Not publicly available
Restart Required: No
Instructions:
No official patch instructions available. Check Ruijie Networks website for security advisories and firmware updates.
🔧 Temporary Workarounds
Block access to vulnerable endpoint
linuxUse firewall rules or web application firewall to block access to /ddi/server/fileupload.php
iptables -A INPUT -p tcp --dport 80 -m string --string "/ddi/server/fileupload.php" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/ddi/server/fileupload.php" --algo bm -j DROP
Disable web management interface
allDisable the web management interface if not required for operations
🧯 If You Can't Patch
- Segment routers in isolated network zones with strict firewall rules
- Implement network monitoring and intrusion detection for suspicious file upload attempts
🔍 How to Verify
Check if Vulnerable:
Test if /ddi/server/fileupload.php endpoint accepts file uploads without authentication using curl or similar toolsCheck Version:
Check firmware version via web interface at / or via SSH if availableVerify Fix Applied:
Verify the endpoint no longer accepts unauthenticated file uploads or returns appropriate access denied responses📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /ddi/server/fileupload.php
- File creation in web directories with .php extension
- Unusual process execution from web user context
Network Indicators:
- POST requests to fileupload.php endpoint from external IPs
- Unusual outbound connections from router after file upload
SIEM Query:
source="web_logs" AND uri="/ddi/server/fileupload.php" AND method="POST"🔗 References
- https://cn-sec.com/archives/1995366.html
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml
- https://rfk0z.github.io/posts/Ruijie-NBR-router-fileupload-php-arbitrary-file-upload-vulnerability/
- https://www.cnblogs.com/Domren/articles/19093295
- https://www.vulncheck.com/advisories/ruijie-networks-nbr-routers-unauthenticated-arbitrary-file-upload-via-fileuploadphp
