CVE-2025-56129 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-56129?

CVE-2025-56129 has a CVSS score of 8.8 (HIGH). This CVE describes an OS command injection vulnerability in Ruijie RG-BCR860 routers that allows attackers to execute arbitrary commands via crafted POST requests to the diagnosis controller. Attackers can gain remote code execution on affected devices, potentially compromising the entire network. Organizations using Ruijie RG-BCR860 routers are affected.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Ruijie RG-BCR860 routers that allows attackers to execute arbitrary commands via crafted POST requests to the diagnosis controller. Attackers can gain remote code execution on affected devices, potentially compromising the entire network. Organizations using Ruijie RG-BCR860 routers are affected.

💻 Affected Systems

Products:

Ruijie RG-BCR860

Versions: All versions prior to patch

Operating Systems: Embedded Linux/Lua-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web management interface's diagnosis functionality. Default configurations appear vulnerable.

📦 What is this software?

Rg Bcr860 Firmware by Ruijie

View all CVEs affecting Rg Bcr860 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Unauthorized command execution allowing network reconnaissance, credential harvesting, and potential pivot to internal systems.

🟢

If Mitigated

Limited impact due to network segmentation, proper access controls, and monitoring preventing successful exploitation.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely via HTTP requests, making internet-exposed devices immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to gain elevated privileges and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to the web interface. The vulnerability is in a controller that processes user input without proper sanitization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available at time of analysis

Restart Required: Yes

Instructions:

1. Contact Ruijie support for firmware updates. 2. Download latest firmware from vendor portal. 3. Backup configuration. 4. Upload and apply firmware update. 5. Verify fix and restore configuration if needed.

🔧 Temporary Workarounds

Disable Web Management Interface

linux

Disable the web management interface if not required for operations

# Access device via SSH/Telnet
# Disable web interface service
# Specific commands depend on firmware version

Network Access Control

linux

Restrict access to management interface using firewall rules

# Example iptables rule to restrict access
iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Ruijie devices from critical systems
Deploy web application firewall (WAF) rules to block suspicious POST requests to /usr/lib/lua/luci/controller/admin/diagnosis.lua

🔍 How to Verify

Check if Vulnerable:

Check if device responds to POST requests at the vulnerable endpoint and test with safe command injection payloads (like 'id' command).

Check Version:

Check web interface login page or use SSH command: cat /etc/version or similar firmware version file

Verify Fix Applied:

Test the same endpoint with command injection payloads after patching - should return error or sanitized output.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /usr/lib/lua/luci/controller/admin/diagnosis.lua
Commands with shell metacharacters in web logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual outbound connections from Ruijie device
POST requests containing shell commands or special characters

SIEM Query:

source="ruijie_web_logs" AND (uri="/usr/lib/lua/luci/controller/admin/diagnosis.lua" AND method="POST") AND (request_body CONTAINS "|" OR request_body CONTAINS ";" OR request_body CONTAINS "`" OR request_body CONTAINS "$")

📊 Metadata

CVE ID: CVE-2025-56129

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.4% exploit probability (80.1th percentile)

Published: December 11, 2025

Last Updated: December 15, 2025

🔗 References

https://1drv.ms/f/c/12406a392c92914b/EqEQemupso9DldgG-EcUI8IBLpEWP_S-f6vpeUtYztYYCg?e=gX4A10 Permissions Required
https://1drv.ms/t/c/12406a392c92914b/EaJ2e_mzgltOiHqb4t8xIvgBoT2CYEP0nrhZd7IYlCHSPQ?e=miUrrL Permissions Required
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56129.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56129, you might also want to check these: