CVE-2025-56130 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2025-56130?

CVE-2025-56130 has a CVSS score of 8.8 (HIGH). This CVE describes an OS command injection vulnerability in Ruijie RG-S1930 switches that allows attackers to execute arbitrary commands via a crafted POST request to the module_update endpoint. Attackers can achieve remote code execution with network access to the vulnerable device. Organizations using Ruijie RG-S1930 switches with the affected firmware are at risk.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Ruijie RG-S1930 switches that allows attackers to execute arbitrary commands via a crafted POST request to the module_update endpoint. Attackers can achieve remote code execution with network access to the vulnerable device. Organizations using Ruijie RG-S1930 switches with the affected firmware are at risk.

💻 Affected Systems

Products:

Ruijie RG-S1930

Versions: S1930SWITCH_3.0(1)B11P230

Operating Systems: Embedded switch OS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the web management interface's module_update functionality. No special configuration is required for exploitation.

📦 What is this software?

Rg Nbs5100 24gt4sfp Firmware by Ruijie

View all CVEs affecting Rg Nbs5100 24gt4sfp Firmware →

Rg S1930 Firmware by Ruijie

View all CVEs affecting Rg S1930 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the network switch allowing attackers to pivot to other network segments, intercept/modify traffic, deploy persistent backdoors, or use the device as a launch point for further attacks.

🟠

Likely Case

Attackers gain administrative control of the switch, enabling traffic interception, network disruption, credential harvesting, and lateral movement within the network.

🟢

If Mitigated

Limited impact due to network segmentation, strict access controls, and monitoring that detects and blocks exploitation attempts.

🌐 Internet-Facing: HIGH - If the switch management interface is exposed to the internet, attackers can remotely exploit this without authentication.

🏢 Internal Only: HIGH - Even internally, this vulnerability allows attackers with network access to compromise critical network infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a crafted POST request to the vulnerable endpoint. Public references include exploit details and proof-of-concept information.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check Ruijie official website for security advisories and firmware updates. Apply any available patches immediately.

🔧 Temporary Workarounds

Restrict Network Access

all

Block access to the switch management interface from untrusted networks and limit internal access to authorized administrative hosts only.

Use firewall rules to restrict access to switch management IP/ports
Implement network segmentation to isolate management traffic

Disable Web Management Interface

all

If possible, disable the web management interface and use CLI or other secure management methods.

Configure via CLI: no ip http server
no ip http secure-server

🧯 If You Can't Patch

Implement strict network access controls to limit which hosts can communicate with the switch management interface
Deploy network intrusion detection/prevention systems to monitor for exploitation attempts and block malicious traffic

🔍 How to Verify

Check if Vulnerable:

Check firmware version via CLI: show version | include S1930SWITCH. If version is S1930SWITCH_3.0(1)B11P230, the device is vulnerable.

Check Version:

show version | include S1930SWITCH

Verify Fix Applied:

After applying any vendor patch, verify the firmware version has been updated to a version later than S1930SWITCH_3.0(1)B11P230.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /usr/local/lua/dev_config/ace_sw.lua
Suspicious command execution in system logs
Multiple failed authentication attempts followed by successful POST requests

Network Indicators:

Unusual outbound connections from the switch to external IPs
POST requests to switch management interface containing shell metacharacters or command injection patterns

SIEM Query:

source="switch_logs" AND (uri="/usr/local/lua/dev_config/ace_sw.lua" OR cmd="module_update") AND (method="POST")

📊 Metadata

CVE ID: CVE-2025-56130

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.05% exploit probability (77.2th percentile)

Published: December 11, 2025

Last Updated: December 31, 2025

🔗 References

https://1drv.ms/f/c/12406a392c92914b/EpWU9cQdd5RNszcYlTj2cGsBfiClkCwF0zCsLNYer2VIZA?e=ANIgPM Product
https://github.com/flegoity/Ruijie-Multiple-Devices-Vulnerability-Reports-for-CVE/blob/main/CVE-2025-56130.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56130, you might also want to check these: