CVE-2025-56083
📋 TL;DR
This CVE describes an OS command injection vulnerability in Ruijie X30-PRO routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending a crafted POST request to the vulnerable endpoint. Organizations using Ruijie X30-PRO routers with the affected firmware are at risk.
💻 Affected Systems
- Ruijie X30-PRO
📦 What is this software?
Reyee Os by Ruijie
Reyee Os by Ruijie
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to network infiltration, data exfiltration, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Router takeover allowing network traffic interception, credential harvesting, and use as pivot point for further attacks.
If Mitigated
Limited impact if network segmentation isolates the router and strict access controls prevent exploitation attempts.
🎯 Exploit Status
The exploit requires sending a crafted POST request to the vulnerable endpoint, which is relatively straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
Check Ruijie official website for security updates and firmware patches. If available, download and apply the latest firmware following vendor instructions.
🔧 Temporary Workarounds
Block Access to Vulnerable Endpoint
linuxUse firewall rules to block access to /usr/local/lua/dev_sta/nbr_networkId_merge.lua endpoint
iptables -A INPUT -p tcp --dport 80 -m string --string "POST /usr/local/lua/dev_sta/nbr_networkId_merge.lua" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "POST /usr/local/lua/dev_sta/nbr_networkId_merge.lua" --algo bm -j DROP
Disable Unnecessary Services
linuxDisable the vulnerable Lua module if not required for operation
mv /usr/local/lua/dev_sta/nbr_networkId_merge.lua /usr/local/lua/dev_sta/nbr_networkId_merge.lua.disabled
🧯 If You Can't Patch
- Isolate affected routers in a dedicated VLAN with strict network segmentation
- Implement strict network access controls to limit who can communicate with the router management interface
🔍 How to Verify
Check if Vulnerable:
Check if the file /usr/local/lua/dev_sta/nbr_networkId_merge.lua exists and contains the vulnerable module_set functionCheck Version:
cat /etc/version | grep X30-PROVerify Fix Applied:
Verify the vulnerable file has been removed, renamed, or patched, and test that POST requests to the endpoint no longer execute commands📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /usr/local/lua/dev_sta/nbr_networkId_merge.lua
- Suspicious command execution in system logs
- Unexpected process creation from web server
Network Indicators:
- POST requests containing shell metacharacters or command injection patterns
- Unusual outbound connections from router to external IPs
SIEM Query:
source="router_logs" AND (uri="/usr/local/lua/dev_sta/nbr_networkId_merge.lua" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*)")