CVE-2025-56111 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-56111?

CVE-2025-56111 has a CVSS score of 8.8 (HIGH). This CVE describes an OS command injection vulnerability in Ruijie RG-BCR860 routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending a crafted POST request to the network_set_wan_conf endpoint. Organizations using Ruijie RG-BCR860 routers are affected.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Ruijie RG-BCR860 routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending a crafted POST request to the network_set_wan_conf endpoint. Organizations using Ruijie RG-BCR860 routers are affected.

💻 Affected Systems

Products:

Ruijie RG-BCR860

Versions: All versions prior to patched version (specific version unknown)

Operating Systems: Embedded Linux/Lua-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web management interface's network configuration functionality.

📦 What is this software?

Rg Bcr860 Firmware by Ruijie

View all CVEs affecting Rg Bcr860 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept traffic, or use the device as part of a botnet.

🟠

Likely Case

Attackers gain shell access to the router, enabling them to modify configurations, intercept network traffic, or use the device for further attacks.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and monitoring that detects exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via HTTP requests and routers are typically internet-facing devices.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the web management interface but no authentication. Public proof-of-concept code is available in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Ruijie official website for security advisories. 2. Download latest firmware if available. 3. Backup current configuration. 4. Upload and install new firmware via web interface. 5. Restart device. 6. Restore configuration if needed.

🔧 Temporary Workarounds

Disable web management interface

linux

Disable the web-based management interface to prevent exploitation

# Via SSH/Telnet: disable web interface
# Configuration depends on specific firmware

Network access restrictions

linux

Restrict access to management interface using firewall rules

# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for suspicious POST requests to /usr/lib/lua/luci/controller/admin/netport.lua

🔍 How to Verify

Check if Vulnerable:

Check if device responds to POST requests at the vulnerable endpoint and test with safe command injection payloads like '; echo test'

Check Version:

# Check firmware version via web interface or SSH: cat /etc/version

Verify Fix Applied:

Test the same endpoint with command injection payloads after applying fixes - should return error or no command execution

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to network_set_wan_conf endpoint
Commands with shell metacharacters in web logs
Unexpected processes spawned from web server

Network Indicators:

POST requests containing shell metacharacters (;, |, &, $)
Unusual outbound connections from router

SIEM Query:

source="web_logs" AND uri="/usr/lib/lua/luci/controller/admin/netport.lua" AND (method="POST" AND (body="*;*" OR body="*|*" OR body="*&*" OR body="*$(*"))

📊 Metadata

CVE ID: CVE-2025-56111

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.66% exploit probability (81.8th percentile)

Published: December 11, 2025

Last Updated: January 7, 2026

🔗 References

https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 Product
https://1drv.ms/t/c/12406a392c92914b/ERJa0DnnR29MqtbLLRQirGYB4qA9dAdpn6eIJH9LwNlBmw?e=y6KkGo Third Party Advisory
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56111.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56111, you might also want to check these: