CVE-2024-42936 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-42936?

CVE-2024-42936 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on Ruijie RG-EW300N wireless access points by sending specially crafted MQTT broker messages to the mqlink.elf service. Attackers can gain full control of affected devices without authentication. Organizations using these access points with vulnerable firmware are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Ruijie RG-EW300N wireless access points by sending specially crafted MQTT broker messages to the mqlink.elf service. Attackers can gain full control of affected devices without authentication. Organizations using these access points with vulnerable firmware are at risk.

💻 Affected Systems

Products:

Ruijie RG-EW300N

Versions: ReyeeOS 1.300.1422

Operating Systems: Embedded ReyeeOS

Default Config Vulnerable: ⚠️ Yes

Notes: The mqlink.elf service runs by default and listens for MQTT messages. No special configuration is required for exploitation.

📦 What is this software?

Reyee Os by Ruijie

View all CVEs affecting Reyee Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the access point allowing attackers to pivot to internal networks, intercept traffic, deploy malware, or create persistent backdoors.

🟠

Likely Case

Attackers gain control of the access point to monitor network traffic, steal credentials, or use the device as a foothold for lateral movement.

🟢

If Mitigated

Limited impact if devices are isolated in separate VLANs with strict network segmentation and outbound traffic filtering.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub gist contains technical details and appears to demonstrate exploitation. The vulnerability requires no authentication and has a simple exploitation path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check Ruijie official website for firmware updates. If available, download the latest firmware and apply through the device web interface or CLI.

🔧 Temporary Workarounds

Block MQTT traffic

linux

Prevent exploitation by blocking inbound MQTT traffic to affected devices

iptables -A INPUT -p tcp --dport 1883 -j DROP
iptables -A INPUT -p tcp --dport 8883 -j DROP

Disable mqlink service

all

Stop and disable the vulnerable mqlink.elf service if not required

killall mqlink.elf
chmod -x /path/to/mqlink.elf

🧯 If You Can't Patch

Isolate affected devices in separate VLANs with strict firewall rules
Implement network monitoring for MQTT traffic anomalies and unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or CLI: show version. If version is ReyeeOS 1.300.1422, device is vulnerable.

Check Version:

show version

Verify Fix Applied:

Verify firmware has been updated to a version later than ReyeeOS 1.300.1422

📡 Detection & Monitoring

Log Indicators:

Unusual MQTT connection attempts
mqlink.elf process crashes or restarts
Unauthorized configuration changes

Network Indicators:

MQTT traffic to port 1883/8883 from unexpected sources
Outbound connections from access points to suspicious IPs

SIEM Query:

source="access-point-logs" AND ("mqlink" OR "MQTT") AND ("crash" OR "error" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2024-42936

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 2.07% exploit probability (83.6th percentile)

Published: January 21, 2025

Last Updated: December 15, 2025

🔗 References

https://gist.github.com/smrx86/2008111b12ab47882b3928d0cbc9e415 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42936, you might also want to check these: