CVE-2025-56118 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-56118?

CVE-2025-56118 has a CVSS score of 8.8 (HIGH). This CVE describes an OS command injection vulnerability in Ruijie X60 PRO routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending a crafted POST request to the vulnerable module_set function. Organizations using Ruijie X60 PRO routers with affected firmware versions are at risk.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Ruijie X60 PRO routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending a crafted POST request to the vulnerable module_set function. Organizations using Ruijie X60 PRO routers with affected firmware versions are at risk.

💻 Affected Systems

Products:

Ruijie X60 PRO

Versions: V1.00 and V2.00 firmware versions

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the nbr_cwmp.lua file which handles CWMP (TR-069) functionality. Devices with web management interfaces accessible are vulnerable.

📦 What is this software?

Rg Ew3200gx Firmware by Ruijie

View all CVEs affecting Rg Ew3200gx Firmware →

Rg X60 Pro Firmware by Ruijie

View all CVEs affecting Rg X60 Pro Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to pivot to internal networks, intercept/modify traffic, install persistent backdoors, or use the device for botnet activities.

🟠

Likely Case

Attackers gain shell access to the router, enabling them to modify configurations, intercept network traffic, or use the device as a foothold for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts from reaching the vulnerable interface.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited via HTTP requests, making internet-facing devices particularly vulnerable to remote attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to gain router access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a crafted POST request to /usr/local/lua/dev_sta/nbr_cwmp.lua. Public references include exploit details and proof-of-concept information.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check Ruijie's official website for security advisories and firmware updates. Consider workarounds or replacement if no fix is forthcoming.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to the router's management interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Disable Vulnerable Module

linux

Disable or restrict access to the nbr_cwmp.lua file if not required

chmod 000 /usr/local/lua/dev_sta/nbr_cwmp.lua

🧯 If You Can't Patch

Segment affected routers in isolated network zones to limit lateral movement potential
Implement strict egress filtering to prevent compromised routers from communicating with external command and control servers

🔍 How to Verify

Check if Vulnerable:

Check if the file /usr/local/lua/dev_sta/nbr_cwmp.lua exists and contains the vulnerable module_set function. Test with a controlled payload to see if command injection is possible.

Check Version:

Check firmware version via web interface or CLI: cat /etc/version or similar vendor-specific command

Verify Fix Applied:

Verify that the vulnerable function has been patched or that the file is no longer accessible/executable. Test with the same payload to confirm it no longer executes commands.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /usr/local/lua/dev_sta/nbr_cwmp.lua
Suspicious command execution in system logs
Unexpected process creation from web server

Network Indicators:

HTTP requests containing shell metacharacters or command injection patterns
Outbound connections from router to unusual external IPs

SIEM Query:

source="router_logs" AND (uri="/usr/local/lua/dev_sta/nbr_cwmp.lua" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*)")

📊 Metadata

CVE ID: CVE-2025-56118

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.06% exploit probability (77.2th percentile)

Published: December 11, 2025

Last Updated: December 23, 2025

🔗 References

https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh Broken Link,Exploit
https://1drv.ms/t/c/12406a392c92914b/EV2jr71QaoFBjf3SLQcUA6sBcmzSsyx2jJ_XY7yOBk_Sjg?e=WOY7Wd Broken Link,Exploit
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56118.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56118, you might also want to check these: