CVE-2025-11141
📋 TL;DR
This CVE describes an OS command injection vulnerability in Ruijie NBR2100G-E routers. Attackers can remotely execute arbitrary commands by manipulating the 'city' parameter in the /itbox_pi/branch_passw.php endpoint. Organizations using Ruijie NBR2100G-E routers up to September 19, 2025 are affected.
💻 Affected Systems
- Ruijie NBR2100G-E
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with router privileges, potentially gaining persistent access, stealing credentials, or pivoting to internal networks.
Likely Case
Attackers execute limited commands to modify router configurations, disrupt network services, or deploy malware on the device.
If Mitigated
With proper network segmentation and access controls, impact is limited to the router itself without lateral movement to other systems.
🎯 Exploit Status
Exploit details are publicly available on GitHub. The vulnerability requires access to the web interface but may be exploitable without authentication depending on configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
Contact Ruijie support for firmware updates. Since vendor has not responded, consider alternative mitigation strategies.
🔧 Temporary Workarounds
Block vulnerable endpoint
allUse firewall rules or web application filtering to block access to /itbox_pi/branch_passw.php
Restrict web interface access
allLimit access to router web interface to trusted IP addresses only
🧯 If You Can't Patch
- Isolate affected routers in separate network segments
- Implement strict outbound firewall rules to limit potential command and control
🔍 How to Verify
Check if Vulnerable:
Check router firmware version via web interface or CLI. If version is 20250919 or earlier, device is vulnerable.Check Version:
Check via web interface at System > System Information or via CLI with 'show version'Verify Fix Applied:
Verify firmware version is newer than 20250919. Test the vulnerable endpoint with safe payloads to confirm patching.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /itbox_pi/branch_passw.php with shell metacharacters in parameters
- Unexpected command execution in system logs
Network Indicators:
- Suspicious outbound connections from router to unknown IPs
- Unusual traffic patterns from router management interface
SIEM Query:
source="router_logs" AND (uri="/itbox_pi/branch_passw.php" AND (param="city" AND value MATCHES "[;&|`$()]"))