CVE-2024-6186 Overview
CVE-2024-6186 is an operating system command injection vulnerability in the Ruijie RG-UAC unified access controller running firmware version 1.0. The flaw resides in the /view/userAuthentication/SSO/commit.php endpoint, where the ad_log_name parameter is passed to a shell context without proper sanitization. An authenticated remote attacker can manipulate this parameter to execute arbitrary operating system commands on the appliance. Public disclosure occurred through VulDB entry #269157 and a corresponding GitHub write-up. The vendor was contacted prior to disclosure but did not respond, leaving deployed devices exposed without an official patch.
Critical Impact
Remote attackers with low-privileged access can inject arbitrary OS commands into the RG-UAC management interface, compromising the confidentiality, integrity, and availability of the access controller.
Affected Products
- Ruijie RG-UAC (hardware appliance)
- Ruijie RG-UAC Firmware 1.0
- Single Sign-On (SSO) authentication module — /view/userAuthentication/SSO/commit.php
Discovery Timeline
- 2024-06-20 - CVE-2024-6186 published to NVD with VulDB identifier #269157
- 2025-08-21 - Last updated in NVD database
Technical Details for CVE-2024-6186
Vulnerability Analysis
The vulnerability is classified as an OS Command Injection flaw [CWE-78]. The affected component is the PHP script commit.php located under the Single Sign-On user authentication path. The script accepts the ad_log_name argument from a client request and forwards the value into a shell execution context without validating, escaping, or filtering shell metacharacters.
Because the RG-UAC appliance serves as a unified access controller, successful exploitation grants the attacker command execution in the context of the web management process. This can be leveraged to read configuration data, pivot into internal network segments, or disrupt authentication services. The attack requires network reachability to the management interface and a low-privileged authenticated session.
Root Cause
The root cause is improper neutralization of special elements used in an OS command. The ad_log_name parameter is concatenated into a shell invocation inside commit.php. Shell metacharacters such as ;, |, &&, and backticks remain unfiltered, allowing the attacker to break out of the intended command and append additional commands.
Attack Vector
The attack vector is network-based. An attacker sends a crafted HTTP request to /view/userAuthentication/SSO/commit.php containing a malicious ad_log_name value. The payload typically appends a shell separator followed by an arbitrary command. Public proof-of-concept material has been disclosed through the GitHub CVE Document and the VulDB entry. No verified exploit code is reproduced here; refer to the linked advisories for technical specifics.
Detection Methods for CVE-2024-6186
Indicators of Compromise
- HTTP requests targeting /view/userAuthentication/SSO/commit.php containing shell metacharacters such as ;, |, &, $(, or backticks in the ad_log_name parameter.
- Unexpected child processes spawned by the RG-UAC web server, such as sh, bash, wget, curl, or nc.
- Outbound network connections initiated by the appliance to attacker-controlled infrastructure shortly after SSO commit requests.
Detection Strategies
- Inspect web server and reverse proxy logs for requests to the vulnerable endpoint and flag any non-alphanumeric content in the ad_log_name parameter.
- Deploy network intrusion detection signatures that match shell injection patterns against HTTP POST bodies destined for the RG-UAC management interface.
- Correlate authentication events with subsequent process execution telemetry on adjacent systems to identify lateral movement from a compromised controller.
Monitoring Recommendations
- Forward RG-UAC access logs and syslog output to a centralized SIEM and create alerts for repeated requests to commit.php from a single source.
- Monitor for configuration file changes, new accounts, or unexpected scheduled tasks on the appliance.
- Baseline outbound traffic from management appliances and alert on deviations such as connections to untrusted IP ranges.
How to Mitigate CVE-2024-6186
Immediate Actions Required
- Restrict network access to the RG-UAC management interface using firewall rules so only trusted administrative subnets can reach the device.
- Disable or block the /view/userAuthentication/SSO/commit.php endpoint at an upstream proxy or WAF if it is not required for production use.
- Rotate administrative credentials and review SSO configuration for unauthorized changes.
Patch Information
No vendor patch has been released. The VulDB advisory notes that Ruijie did not respond to the disclosure. Operators should monitor the VulDB entry and the Ruijie support portal for future firmware updates and apply them as soon as they become available.
Workarounds
- Place the RG-UAC management interface behind a VPN or jump host to eliminate direct internet exposure.
- Apply a web application firewall rule that rejects requests to commit.php containing shell metacharacters in the ad_log_name parameter.
- Audit authentication logs and disable unused SSO accounts to reduce the pool of credentials that can reach the vulnerable code path.
# Example WAF rule (ModSecurity) to block shell metacharacters in ad_log_name
SecRule REQUEST_URI "@contains /view/userAuthentication/SSO/commit.php" \
"chain,phase:2,deny,status:403,id:1006186,msg:'CVE-2024-6186 RG-UAC command injection attempt'"
SecRule ARGS:ad_log_name "@rx [;|&`$()<>]" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
