An issue was found on the Ruijie EG-2000 series gateway. There is a newcli.php API interface without access control, which can allow an attacker (who only has web interface access) to use TELNET commands and/or show admin passwords via the mode_url=exec&command= substring. This affects EG-2000SE EG_RGOS 11.9 B11P1.
The newcli.php API interface does not require authentication, allowing any user with access to the web panel to send requests with the parameter mode_url=exec&command=. Through this parameter, it is possible to execute TELNET commands and display administrator passwords. This is a classic case of command injection (CWE-78), where user input is passed directly to the command interpreter without proper validation and filtering.
An attacker can remotely execute commands on the device without any authentication and obtain administrator passwords, resulting in complete device takeover, loss of data confidentiality and integrity, and potential use of the device as an entry point to the internal network.
Apply patches available from the manufacturer according to the references. As a temporary measure, it is recommended to restrict access to the device's web interface only to trusted IP addresses and implement network segmentation that prevents unauthorized users from reaching the management panel.
Ruijie EG-2000SE with firmware EG_RGOS 11.9 B11P1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRuijie Eg 2000se
HWRuijiewszystkie wersjeRuijie Eg 2000se Firmware
OSRuijie11.9_b11p1
Related vulnerabilities
An issue was found on the Ruijie EG-2000 series gateway. An attacker can easily dump cleartext stored password...
An issue was found in upload.php on the Ruijie EG-2000 series gateway. A parameter passed to the class UploadF...
An issue was found on the Ruijie EG-2000 series gateway. There is a buffer overflow in client.so. Consequently...
Pominięcie uwierzytelnienia w przełącznikach Ruijie RG-ES Series
RCE w usłudze mqlink.elf urządzenia Ruijie RG-EW300N via MQTT