Login Sign Up

CVE-2024-47791

7.5 HIGH

📋 TL;DR

This vulnerability in Ruijie Reyee OS allows attackers to subscribe to partial MQTT topics and intercept messages between devices. It affects Ruijie network devices running Reyee OS versions 2.206.x through 2.319.x. This could expose sensitive device communications and operational data.

💻 Affected Systems

Products:
  • Ruijie network devices with Reyee OS
Versions: 2.206.x up to but not including 2.320.x
Operating Systems: Ruijie Reyee OS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects MQTT broker functionality in Ruijie network devices; requires MQTT service to be enabled and accessible.

📦 What is this software?

Reyee Os by Ruijienetworks

View all CVEs affecting Reyee Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept all MQTT communications between devices, gaining full visibility into network operations, device status, and potentially sensitive configuration data.

🟠

Likely Case

Partial interception of MQTT messages revealing device telemetry, status updates, and operational commands, potentially enabling further attacks.

🟢

If Mitigated

Limited exposure of non-critical telemetry data with proper network segmentation and access controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to MQTT broker but no authentication; simple MQTT client subscription to partial topics.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.320.x or later

Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01

Restart Required: Yes

Instructions:

1. Download latest firmware from Ruijie support portal. 2. Backup current configuration. 3. Upload and install firmware version 2.320.x or later. 4. Reboot device. 5. Verify version and functionality.

🔧 Temporary Workarounds

Disable MQTT Service

all

Turn off MQTT broker functionality if not required for operations.

configure terminal
no mqtt enable
end
write memory

Restrict MQTT Access

all

Implement network ACLs to limit MQTT broker access to trusted hosts only.

configure terminal
access-list 100 permit ip trusted-network any
access-list 100 deny ip any any
interface vlan X
ip access-group 100 in
end
write memory

🧯 If You Can't Patch

  • Segment network to isolate Ruijie devices from untrusted networks
  • Implement strict firewall rules blocking external access to MQTT port (typically 1883/8883)

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI: show version | include Reyee

Check Version:

show version | include Reyee

Verify Fix Applied:

Verify version is 2.320.x or later and test MQTT subscription attempts to partial topics fail.

📡 Detection & Monitoring

Log Indicators:

  • Unusual MQTT subscription patterns
  • Multiple failed subscription attempts
  • Connections from unexpected IPs to MQTT port

Network Indicators:

  • MQTT traffic to/from unexpected sources
  • Pattern of subscription requests for partial topics
  • Unusual volume of MQTT traffic

SIEM Query:

source="ruijie-logs" AND (event="mqtt_subscribe" AND topic="*#") OR (port=1883 OR port=8883) AND src_ip NOT IN trusted_networks

📊 Metadata

CVE ID: CVE-2024-47791
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-155
Published: December 6, 2024
Last Updated: December 10, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47791, you might also want to check these:

CVE-2025-27515 9.8

A validation bypass vulnerability in Laravel's wildcard file validation allows attackers to upload m...

Same vulnerability type (CWE-155)
CVE-2024-8688 4.4

This vulnerability allows authenticated administrators (including read-only admins) with CLI access ...

Same vulnerability type (CWE-155)