CVE-2025-56120 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-56120?

CVE-2025-56120 has a CVSS score of 8.8 (HIGH). This CVE describes an OS command injection vulnerability in Ruijie X60 PRO routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending a crafted POST request to the vulnerable endpoint. Organizations using Ruijie X60 PRO routers with affected firmware versions are at risk.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Ruijie X60 PRO routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit this by sending a crafted POST request to the vulnerable endpoint. Organizations using Ruijie X60 PRO routers with affected firmware versions are at risk.

💻 Affected Systems

Products:

Ruijie X60 PRO

Versions: V1.00/V2.00

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web management interface component that handles configuration requests.

📦 What is this software?

Rg Ew1200 Firmware by Ruijie

View all CVEs affecting Rg Ew1200 Firmware →

Rg X60 Pro Firmware by Ruijie

View all CVEs affecting Rg X60 Pro Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to network infiltration, data exfiltration, and use as a pivot point for attacking internal networks.

🟠

Likely Case

Router compromise allowing traffic interception, credential theft, and deployment of persistent backdoors.

🟢

If Mitigated

Limited impact if network segmentation and proper access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited via HTTP requests, making internet-facing devices particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal devices are still vulnerable to attacks from compromised internal hosts or malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted HTTP POST request to the vulnerable endpoint. Public proof-of-concept code is available in the GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor Ruijie's security advisories for updates and apply patches when released.

🔧 Temporary Workarounds

Disable Web Management Interface

linux

Disable the web management interface if not required for operations

Check router documentation for disabling web interface commands

Network Access Control

linux

Restrict access to router management interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected routers from critical systems
Deploy web application firewall (WAF) rules to block suspicious POST requests to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface or SSH. If version is V1.00 or V2.00, device is vulnerable.

Check Version:

ssh admin@router_ip 'cat /etc/version' or check web interface System Information page

Verify Fix Applied:

Verify firmware has been updated to a version beyond V2.00 or check that the vulnerable endpoint no longer accepts malicious input.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /usr/local/lua/dev_config/config_retain.lua
Suspicious command execution in system logs
Multiple failed authentication attempts followed by successful POST

Network Indicators:

HTTP POST requests containing shell metacharacters or command injection patterns
Unusual outbound connections from router to external IPs

SIEM Query:

source="router_logs" AND (uri="/usr/local/lua/dev_config/config_retain.lua" OR method="POST" AND (body CONTAINS "|" OR body CONTAINS ";" OR body CONTAINS "`" OR body CONTAINS "$"))

📊 Metadata

CVE ID: CVE-2025-56120

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.06% exploit probability (77.2th percentile)

Published: December 11, 2025

Last Updated: December 23, 2025

🔗 References

https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh Broken Link,Exploit,Product
https://1drv.ms/t/c/12406a392c92914b/EZf6v9BXDpFAs09oCidKJ8oBXclUWtjyMcQv3DgMfISkJg?e=MyjOdI Broken Link,Exploit
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56120.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56120, you might also want to check these: