CVE-2025-56110 – This CVE describes an OS command injection vuln... (How to Fix)

📋 TL;DR

This CVE describes an OS command injection vulnerability in Ruijie RG-BCR860 routers that allows attackers to execute arbitrary commands via a crafted POST request to a specific API endpoint. Attackers can gain remote code execution on affected devices, potentially compromising network infrastructure. Organizations using Ruijie RG-BCR860 routers are affected.

💻 Affected Systems

Products:

Ruijie RG-BCR860

Versions: All versions prior to patch

Operating Systems: Embedded Linux/Lua-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the web management interface API endpoint. Devices with web management enabled are vulnerable.

📦 What is this software?

Rg Bcr860 Firmware by Ruijie

View all CVEs affecting Rg Bcr860 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to pivot to internal networks, intercept/modify traffic, install persistent backdoors, or use the device as a botnet node.

🟠

Likely Case

Attackers gain shell access to the router, enabling them to reconfigure network settings, intercept traffic, or use the device for further attacks.

🟢

If Mitigated

Limited impact if device is behind firewalls with strict ingress filtering and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending a crafted POST request to /usr/lib/lua/luci/controller/api/rcmsAPI.lua endpoint. Public PoC available in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Ruijie official website for security advisories
2. Download latest firmware if available
3. Backup current configuration
4. Upload and install new firmware via web interface
5. Restart device
6. Restore configuration if needed

🔧 Temporary Workarounds

Disable Web Management Interface

linux

Disable the web management interface to prevent exploitation via the vulnerable API endpoint

# Via CLI: disable web management
# Configuration depends on specific Ruijie CLI syntax

Network Access Control

linux

Restrict access to router management interface using firewall rules

# Example iptables rule to restrict access to management IP
# iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for suspicious POST requests to /usr/lib/lua/luci/controller/api/rcmsAPI.lua

🔍 How to Verify

Check if Vulnerable:

Check if device responds to POST requests at the vulnerable endpoint. Use curl: curl -X POST http://router-ip/usr/lib/lua/luci/controller/api/rcmsAPI.lua

Check Version:

# Check firmware version via web interface or CLI
# CLI command varies by Ruijie device model

Verify Fix Applied:

After applying workarounds, verify the endpoint is no longer accessible or properly sanitizes input

📡 Detection & Monitoring

Log Indicators:

POST requests to /usr/lib/lua/luci/controller/api/rcmsAPI.lua with command injection patterns
Unusual command execution in system logs
Failed authentication attempts followed by API access

Network Indicators:

Unusual outbound connections from router
POST requests to router management interface from unexpected sources
Traffic patterns indicating command execution

SIEM Query:

source="router_logs" AND (url="/usr/lib/lua/luci/controller/api/rcmsAPI.lua" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*)")

📊 Metadata

CVE ID: CVE-2025-56110

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.26% exploit probability (79.1th percentile)

Published: December 11, 2025

Last Updated: January 26, 2026

🔗 References

https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 Product,Broken Link
https://1drv.ms/t/c/12406a392c92914b/EWK5h1b7Ig1Pt-jdTSQ6t5wBYIbKPHujlBimUpdYNVR-6A?e=eQRXef Third Party Advisory,Broken Link
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56110.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56110, you might also want to check these: