CVE-2025-56117 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-56117?

CVE-2025-56117 has a CVSS score of 8.8 (HIGH). This CVE describes an OS command injection vulnerability in Ruijie X30-PRO routers that allows attackers to execute arbitrary commands via a crafted POST request. Attackers can achieve remote code execution with high privileges, potentially compromising the entire device. Organizations using Ruijie X30-PRO routers with vulnerable firmware versions are affected.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Ruijie X30-PRO routers that allows attackers to execute arbitrary commands via a crafted POST request. Attackers can achieve remote code execution with high privileges, potentially compromising the entire device. Organizations using Ruijie X30-PRO routers with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Ruijie X30-PRO

Versions: X30-PRO-V1_09241521 and likely earlier versions

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the nbr_cwmp.lua module which handles CWMP (TR-069) functionality. Devices with this module enabled are vulnerable.

📦 What is this software?

Rg Est310 Firmware by Ruijie

View all CVEs affecting Rg Est310 Firmware →

X30 Pro Firmware by Ruijie

View all CVEs affecting X30 Pro Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept traffic, or use the device as part of a botnet.

🟠

Likely Case

Attackers gain shell access to the router, modify configurations, steal credentials, and potentially use the device as a foothold for lateral movement.

🟢

If Mitigated

Limited impact if network segmentation isolates the device and strict egress filtering prevents command and control communication.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via HTTP POST requests, making internet-facing devices prime targets for automated exploitation.

🏢 Internal Only: MEDIUM - Internal devices are still vulnerable to insider threats or attackers who have already breached the network perimeter.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub repository contains detailed exploitation information. The vulnerability requires sending a crafted POST request to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Ruijie official website for firmware updates. 2. Download latest firmware for X30-PRO. 3. Upload firmware via web interface. 4. Apply update and reboot device.

🔧 Temporary Workarounds

Block access to vulnerable endpoint

linux

Use firewall rules to block access to /usr/local/lua/dev_sta/nbr_cwmp.lua endpoint

iptables -A INPUT -p tcp --dport 80 -m string --string "nbr_cwmp.lua" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "nbr_cwmp.lua" --algo bm -j DROP

Disable CWMP/TR-069 if not needed

all

Turn off TR-069 remote management functionality

Connect to router web interface
Navigate to Management > TR-069
Disable TR-069 client

🧯 If You Can't Patch

Segment Ruijie devices on isolated VLANs with strict firewall rules
Implement network-based intrusion detection to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System > System Information > Firmware Version. If version is X30-PRO-V1_09241521 or earlier, device is likely vulnerable.

Check Version:

curl -s http://router-ip/cgi-bin/luci/ | grep -i firmware

Verify Fix Applied:

After updating firmware, verify the version has changed from vulnerable version. Test with controlled exploitation attempt from authorized security testing system.

📡 Detection & Monitoring

Log Indicators:

POST requests to /usr/local/lua/dev_sta/nbr_cwmp.lua with shell metacharacters
Unusual process execution from web server context
Failed authentication attempts followed by POST to vulnerable endpoint

Network Indicators:

HTTP POST requests containing shell commands (;, |, &, $, etc.) to router management interface
Outbound connections from router to unknown IPs post-exploitation

SIEM Query:

source="router_logs" AND (uri="*nbr_cwmp.lua*" AND method="POST" AND (content="*;*" OR content="*|*" OR content="*`*" OR content="*$(*"))

📊 Metadata

CVE ID: CVE-2025-56117

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.66% exploit probability (81.8th percentile)

Published: December 11, 2025

Last Updated: January 7, 2026

🔗 References

https://1drv.ms/f/c/12406a392c92914b/EtGIxwWujwxBvQhL9wgnUIwBkg-mndJJX07Igr6d0cic-g?e=4KJbWY Product
https://1drv.ms/t/c/12406a392c92914b/Ed2lBCN9vhdPnEs7WKvpfEQBp7czazgO9PYxS2TFSHx7TQ?e=HZZaGq Third Party Advisory
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56117.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56117, you might also want to check these: