CVE-2024-6187 Overview
CVE-2024-6187 is an operating system command injection vulnerability affecting Ruijie RG-UAC 1.0. The flaw resides in the /view/vpn/autovpn/sub_commit.php script, where the key parameter is passed to a shell context without proper sanitization [CWE-78]. An authenticated remote attacker can manipulate this argument to execute arbitrary operating system commands on the underlying device.
The exploit details have been disclosed publicly through VulDB entry #269158 and a GitHub advisory. According to the disclosure, the vendor was contacted before publication but did not respond. Ruijie RG-UAC appliances function as unified access control gateways, so command execution on these devices can compromise network segmentation and VPN access policies.
Critical Impact
Remote attackers with low-privilege access can execute arbitrary OS commands on Ruijie RG-UAC appliances via the autovpn sub_commit.php endpoint, enabling full device compromise.
Affected Products
- Ruijie RG-UAC 1.0 (hardware appliance)
- Ruijie RG-UAC Firmware 1.0
- Deployments exposing the /view/vpn/autovpn/ web management interface
Discovery Timeline
- 2024-06-20 - CVE-2024-6187 published to NVD with VulDB identifier #269158
- 2025-08-21 - Last updated in NVD database
Technical Details for CVE-2024-6187
Vulnerability Analysis
The vulnerability is classified as OS command injection under [CWE-78]. The affected code path lies in the PHP handler /view/vpn/autovpn/sub_commit.php, which is part of the auto-VPN provisioning workflow exposed by the device web interface. The handler accepts a user-supplied key parameter and passes it to a system shell call without sufficient escaping or allow-listing.
Because RG-UAC devices typically run web services as a privileged user, injected commands execute with elevated rights on the appliance. The attack can be initiated remotely over the network. Exploitation requires low privileges according to the CVSS v4.0 vector, indicating that an authenticated session to the management interface is necessary.
The EPSS probability score of 2.428% with percentile 85.339 indicates relatively elevated exploitation interest compared to most CVEs, even though no confirmed in-the-wild activity has been reported.
Root Cause
The root cause is the absence of input validation and shell metacharacter neutralization on the key argument before it is concatenated into a command string. Standard mitigations such as PHP's escapeshellarg(), parameter allow-listing, or moving away from system()-style invocations were not applied to this code path.
Attack Vector
An attacker reaches the vulnerable endpoint over HTTP/HTTPS against the appliance management interface. After submitting a crafted key value containing shell metacharacters such as ;, |, or backticks, the appended commands are executed in the device shell. Successful exploitation can lead to credential theft, configuration modification, persistent backdoors, and lateral movement into protected network segments served by the gateway.
No verified exploit code is published in the enriched data set. Refer to the GitHub CVE documentation and VulDB entry #269158 for the public technical write-up.
Detection Methods for CVE-2024-6187
Indicators of Compromise
- HTTP POST or GET requests to /view/vpn/autovpn/sub_commit.php containing shell metacharacters such as ;, &&, |, $(, or backticks in the key parameter
- Unexpected child processes spawned by the web server account on the RG-UAC appliance, such as sh, wget, curl, or nc
- Outbound connections from the appliance to unfamiliar hosts shortly after requests to the autovpn path
Detection Strategies
- Inspect web server and reverse proxy logs for requests to sub_commit.php and decode the key parameter for shell syntax
- Deploy signatures in network IDS/IPS that match command injection patterns in URL or POST body parameters targeting the autovpn endpoint
- Baseline normal administrative traffic to the RG-UAC management interface and alert on anomalous source IPs or off-hours access
Monitoring Recommendations
- Forward appliance syslog and HTTP access logs to a centralized analytics platform for retention and correlation
- Monitor for new cron entries, modified startup scripts, or unexpected listening ports on the appliance
- Track authentication events on the management interface for brute force or unusual session activity that may precede exploitation
How to Mitigate CVE-2024-6187
Immediate Actions Required
- Restrict access to the RG-UAC web management interface to a dedicated administrative network or VPN, blocking exposure from the internet and general user VLANs
- Rotate administrator credentials and audit all accounts permitted to authenticate to the management UI
- Review device configuration, scheduled tasks, and firmware integrity for signs of tampering
Patch Information
As of the last NVD modification on 2025-08-21, no vendor advisory or fixed firmware version is listed in the enriched data. The disclosure notes that Ruijie did not respond to the reporter. Operators should contact Ruijie support directly to request a remediation timeline and apply any subsequent firmware updates as they become available.
Workarounds
- Place the RG-UAC management interface behind an upstream access control list that permits only known administrator source addresses
- Disable the auto-VPN provisioning workflow if it is not required in the deployment
- Add WAF or reverse proxy rules to reject requests to /view/vpn/autovpn/sub_commit.php containing shell metacharacters in the key parameter
# Example upstream firewall rule restricting RG-UAC management access
# Replace ADMIN_NET and UAC_MGMT_IP with your environment values
iptables -A FORWARD -s ADMIN_NET -d UAC_MGMT_IP -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d UAC_MGMT_IP -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
