CVE-2024-4502

Q: What is the severity of CVE-2024-4502?

CVE-2024-4502 has a CVSS score of 4.7 (MEDIUM). This critical vulnerability in Ruijie RG-UAC Unified Internet Behavior Management Audit System allows remote attackers to execute arbitrary operating system commands via command injection in the ifName parameter of the dhcp_client_commit.php file. Attackers can exploit this to gain unauthorized access and control over affected systems. All Ruijie RG-UAC systems up to version 20240428 are vulnerable.

4.7 MEDIUM

Remote Code Execution

📋 TL;DR

This critical vulnerability in Ruijie RG-UAC Unified Internet Behavior Management Audit System allows remote attackers to execute arbitrary operating system commands via command injection in the ifName parameter of the dhcp_client_commit.php file. Attackers can exploit this to gain unauthorized access and control over affected systems. All Ruijie RG-UAC systems up to version 20240428 are vulnerable.

💻 Affected Systems

Products:

Ruijie RG-UAC Unified Internet Behavior Management Audit System

Versions: Up to and including 20240428

Operating Systems: Unknown (likely embedded Linux)

Default Config Vulnerable: ⚠️ Yes

Notes: All systems running the vulnerable version with the affected PHP file accessible are vulnerable. The vendor has not responded to disclosure attempts.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands with system privileges, install malware, exfiltrate sensitive data, pivot to other network systems, and establish persistent backdoors.

🟠

Likely Case

Remote code execution leading to unauthorized system access, data theft, and potential use as a foothold for lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, strict firewall rules, and input validation are in place, though the vulnerability remains exploitable.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in GitHub repositories. The vulnerability can be exploited remotely without authentication using simple HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch is available. Monitor Ruijie's official channels for security updates. Consider upgrading to newer versions if available.

🔧 Temporary Workarounds

Block Access to Vulnerable Endpoint

linux

Restrict network access to the vulnerable PHP file using firewall rules or web server configuration.

# Example iptables rule to block access to the vulnerable endpoint
sudo iptables -A INPUT -p tcp --dport 80 -m string --string "/view/dhcp/dhcpClient/dhcp_client_commit.php" --algo bm -j DROP
# Alternative: Use web server configuration to deny access to the specific file

Input Validation via WAF

all

Implement web application firewall rules to block malicious input containing command injection patterns.

# Example ModSecurity rule
SecRule ARGS:ifName "@rx [;&|`$()]" "id:1001,phase:2,deny,msg:'Command Injection Attempt'"
# Configure WAF to block requests with suspicious characters in ifName parameter

🧯 If You Can't Patch

Isolate affected systems in a separate network segment with strict firewall rules limiting inbound and outbound connections.
Implement network monitoring and intrusion detection systems to detect exploitation attempts and anomalous system behavior.

🔍 How to Verify

Check if Vulnerable:

Check if the file /view/dhcp/dhcpClient/dhcp_client_commit.php exists and is accessible via HTTP. Test by sending a request with a command injection payload in the ifName parameter (use caution in production).

Check Version:

Check system version through web interface or administrative console. The exact command varies by deployment.

Verify Fix Applied:

Verify that the vulnerable endpoint is no longer accessible or that input validation properly sanitizes the ifName parameter. Test with safe payloads to confirm command injection is blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to /view/dhcp/dhcpClient/dhcp_client_commit.php with suspicious parameters
System logs showing unexpected command execution or process creation
Web server logs containing command injection patterns (;, &, |, `, $, (, )) in ifName parameter

Network Indicators:

HTTP traffic to the vulnerable endpoint with unusual payloads
Outbound connections from the system to unexpected external IPs following exploitation

SIEM Query:

source="web_server" AND url="/view/dhcp/dhcpClient/dhcp_client_commit.php" AND (ifName="*;*" OR ifName="*&*" OR ifName="*|*" OR ifName="*`*" OR ifName="*$(*" OR ifName="*)*")

📊 Metadata

CVE ID: CVE-2024-4502

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-78

Published: May 5, 2024

Last Updated: August 21, 2025

🔗 References

https://github.com/h0e4a0r1t/-2x3J-1rPc-1-0-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-view_dhcp_dhcpClient_dhcp_client_commit.php.pdf Broken Link
https://vuldb.com/?ctiid.263106 Permissions Required,VDB Entry
https://vuldb.com/?id.263106 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.323811 Third Party Advisory,VDB Entry
https://github.com/h0e4a0r1t/-2x3J-1rPc-1-0-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-view_dhcp_dhcpClient_dhcp_client_commit.php.pdf Broken Link
https://vuldb.com/?ctiid.263106 Permissions Required,VDB Entry
https://vuldb.com/?id.263106 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.323811 Third Party Advisory,VDB Entry

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Rg Uac 6000 Cc Firmware by Ruijie

Rg Uac 6000 E10 Firmware by Ruijie

Rg Uac 6000 E10 Firmware by Ruijie

Rg Uac 6000 E10c Firmware by Ruijie

Rg Uac 6000 E20 Firmware by Ruijie

Rg Uac 6000 E20c Firmware by Ruijie

Rg Uac 6000 E20m Firmware by Ruijie

Rg Uac 6000 E50 Firmware by Ruijie

Rg Uac 6000 E50c Firmware by Ruijie

Rg Uac 6000 E50m Firmware by Ruijie

Rg Uac 6000 Ea Firmware by Ruijie

Rg Uac 6000 Ei Firmware by Ruijie

Rg Uac 6000 Isg02 Firmware by Ruijie

Rg Uac 6000 Isg10 Firmware by Ruijie

Rg Uac 6000 Isg200 Firmware by Ruijie

Rg Uac 6000 Isg40 Firmware by Ruijie

Rg Uac 6000 Si Firmware by Ruijie

Rg Uac 6000 U3100 Firmware by Ruijie

Rg Uac 6000 U3210 Firmware by Ruijie

Rg Uac 6000 X100 Firmware by Ruijie

Rg Uac 6000 X100s Firmware by Ruijie

Rg Uac 6000 X20 Firmware by Ruijie

Rg Uac 6000 X200 Firmware by Ruijie

Rg Uac 6000 X20m Firmware by Ruijie

Rg Uac 6000 X20me Firmware by Ruijie

Rg Uac 6000 X300d Firmware by Ruijie

Rg Uac 6000 X60 Firmware by Ruijie

Rg Uac 6000 Xs Firmware by Ruijie