CVE-2025-56124 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-56124?

CVE-2025-56124 has a CVSS score of 7.8 (HIGH). This CVE describes an OS command injection vulnerability in Ruijie X60 PRO routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit it by sending a crafted POST request to a specific Lua endpoint. Organizations using Ruijie X60 PRO routers with vulnerable firmware versions are affected.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Ruijie X60 PRO routers that allows attackers to execute arbitrary commands on the device. Attackers can exploit it by sending a crafted POST request to a specific Lua endpoint. Organizations using Ruijie X60 PRO routers with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Ruijie X60 PRO

Versions: V1.00, V2.00

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default configuration of affected firmware versions.

📦 What is this software?

Rg Ew1200 Firmware by Ruijie

View all CVEs affecting Rg Ew1200 Firmware →

Rg X60 Pro Firmware by Ruijie

View all CVEs affecting Rg X60 Pro Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing installation of persistent backdoors, credential theft, network pivoting to internal systems, and disruption of network services.

🟠

Likely Case

Unauthorized command execution leading to device configuration changes, network reconnaissance, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, command execution restricted to low-privilege contexts, and monitoring detecting exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the device's web interface but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Check Ruijie official website for firmware updates. If available, download latest firmware and follow vendor upgrade procedures.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to the device's management interface to trusted IP addresses only

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Vulnerable Endpoint

linux

Remove or disable access to the vulnerable Lua endpoint if possible

rm /usr/local/lua/dev_sta/networkConnect.lua
chmod 000 /usr/local/lua/dev_sta/networkConnect.lua

🧯 If You Can't Patch

Isolate affected devices in a separate VLAN with strict firewall rules
Implement network monitoring for POST requests to /usr/local/lua/dev_sta/networkConnect.lua

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH: cat /etc/version | grep X60_10212014RG

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is updated beyond V2.00 and test POST requests to the vulnerable endpoint return errors

📡 Detection & Monitoring

Log Indicators:

POST requests to /usr/local/lua/dev_sta/networkConnect.lua with suspicious parameters
Unusual command execution in system logs
Failed authentication attempts followed by successful POST requests

Network Indicators:

HTTP POST requests to router IP on port 80/443 containing command injection patterns (;, |, &, $, etc.)
Unusual outbound connections from router to external IPs

SIEM Query:

source="router_logs" AND (uri="/usr/local/lua/dev_sta/networkConnect.lua" OR (method="POST" AND (param CONTAINS ";" OR param CONTAINS "|" OR param CONTAINS "&" OR param CONTAINS "$")))

📊 Metadata

CVE ID: CVE-2025-56124

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.18% exploit probability (39.3th percentile)

Published: December 11, 2025

Last Updated: December 18, 2025

🔗 References

https://1drv.ms/f/c/12406a392c92914b/EqOEJce7qVtBlzpFonUkSfYBz09eegk6KowUdpDNexgUvw?e=qfwDKh Product
https://1drv.ms/t/c/12406a392c92914b/EWnUygFXeTVNigjp81gJ3LQBJ-hCSb_Yq4gGIMxlan7uJg?e=emOIoc Third Party Advisory
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56124.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56124, you might also want to check these: