CVE-2025-56114 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-56114?

CVE-2025-56114 has a CVSS score of 8.8 (HIGH). This CVE describes an OS command injection vulnerability in Ruijie M18 routers that allows attackers to execute arbitrary commands on the device via a crafted POST request. The vulnerability affects Ruijie M18 routers running specific firmware versions and can be exploited without authentication. Network administrators using these devices are at risk of complete system compromise.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Ruijie M18 routers that allows attackers to execute arbitrary commands on the device via a crafted POST request. The vulnerability affects Ruijie M18 routers running specific firmware versions and can be exploited without authentication. Network administrators using these devices are at risk of complete system compromise.

💻 Affected Systems

Products:

Ruijie M18 Router

Versions: EW_3.0(1)B11P226_M18_10223116

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of affected firmware versions. No special configuration is required for exploitation.

📦 What is this software?

M18 Ew Firmware by Ruijie

View all CVEs affecting M18 Ew Firmware →

Rg Ew1300g Firmware by Ruijie

View all CVEs affecting Rg Ew1300g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover allowing attackers to install persistent backdoors, pivot to internal networks, exfiltrate sensitive data, or use the device as part of a botnet.

🟠

Likely Case

Attackers gain root access to the router, enabling them to intercept network traffic, modify configurations, and potentially compromise connected devices.

🟢

If Mitigated

If proper network segmentation and access controls are in place, impact may be limited to the router itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited via HTTP POST requests, making internet-facing devices immediately vulnerable to remote attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to gain router control and pivot within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted POST request to the vulnerable endpoint. Public proof-of-concept code is available in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch is currently available. Monitor Ruijie's security advisories for updates and apply patches immediately when released.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to the router's management interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Disable Remote Management

all

Disable remote management features if not required

Check router web interface for remote management settings and disable

🧯 If You Can't Patch

Isolate affected routers in a separate VLAN with strict firewall rules
Implement network monitoring and intrusion detection for suspicious POST requests to /usr/local/lua/dev_config/config_retain.lua

🔍 How to Verify

Check if Vulnerable:

Check if the router is running EW_3.0(1)B11P226_M18_10223116 firmware version. The vulnerability can be tested by sending a crafted POST request to the module_set parameter in /usr/local/lua/dev_config/config_retain.lua (Note: testing may trigger exploitation).

Check Version:

Check router web interface or use SNMP queries to determine firmware version

Verify Fix Applied:

Verify firmware has been updated to a version newer than EW_3.0(1)B11P226_M18_10223116. Test that command injection attempts no longer succeed.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /usr/local/lua/dev_config/config_retain.lua
Commands with shell metacharacters in POST parameters
Unexpected system command execution in router logs

Network Indicators:

POST requests containing shell commands (;, |, &, $, etc.) in parameters
Unusual outbound connections from the router
Traffic to suspicious IP addresses from router

SIEM Query:

source="router_logs" AND (uri="/usr/local/lua/dev_config/config_retain.lua" AND method="POST" AND (param CONTAINS ";" OR param CONTAINS "|" OR param CONTAINS "$" OR param CONTAINS "`"))

📊 Metadata

CVE ID: CVE-2025-56114

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.06% exploit probability (77.2th percentile)

Published: December 11, 2025

Last Updated: January 7, 2026

🔗 References

https://1drv.ms/f/c/12406a392c92914b/EmXarTTNPwFHjk8lLwQIqj8Ba9nlq-owLMBtEKpBwMrn5A?e=vvi2dM Broken Link
https://1drv.ms/t/c/12406a392c92914b/EWfEhLkTSblOur72XhaQ7W4BsxQ1IWXZ-Wkcv9WC7AYb-g?e=LpMdqT Broken Link
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56114.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56114, you might also want to check these: