Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65363

CVE-2025-65363: Ruijie Rg-ap720-l Firmware RCE Flaw

CVE-2025-65363 is an authenticated command injection RCE vulnerability in Ruijie Rg-ap720-l Firmware affecting AP_RGOS 11.1.x. Attackers can execute shell commands as root via web_action.do. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-65363 Overview

CVE-2025-65363 is an authenticated command injection vulnerability affecting Ruijie RG-AP720-L wireless access points running AP_RGOS 11.1.x firmware. The flaw exists in the web_action.do endpoint, where the command parameter accepts user input that gets appended to a shell expression executed as root. An authenticated administrative user can append arbitrary shell commands to legitimate input, achieving root-level command execution on the device. Successful exploitation enables file disclosure, device disruption, configuration tampering, and potential lateral movement into adjacent network segments. The vulnerability is tracked under CWE-77: Improper Neutralization of Special Elements used in a Command.

Critical Impact

Authenticated attackers can execute arbitrary shell commands as root on affected Ruijie access points, leading to full device compromise and a foothold for network pivoting.

Affected Products

  • Ruijie RG-AP720-L access point hardware
  • Ruijie RG-AP720-L firmware (AP_RGOS 11.1.x)
  • Deployments exposing the web management interface to untrusted networks

Discovery Timeline

  • 2025-12-08 - CVE-2025-65363 published to NVD
  • 2025-12-12 - Last updated in NVD database

Technical Details for CVE-2025-65363

Vulnerability Analysis

The vulnerability resides in the web management interface of Ruijie RG-AP720-L access points. The web_action.do endpoint accepts a command parameter intended for predefined diagnostic or administrative operations. The backend handler passes this parameter into a shell context without adequate neutralization of shell metacharacters. As a result, an authenticated user can append shell expressions such as command separators, subshells, or pipes to the expected input. The injected payload executes within the same shell process as the original command and inherits root privileges. Because exploitation requires valid authentication, the realistic attack scenarios involve compromised administrator credentials, insider threats, or chaining with separate authentication weaknesses. Once executed, the attacker can read sensitive configuration files, extract credentials, modify firewall and routing rules, reboot the device, or stage further attacks against connected wired and wireless network segments.

Root Cause

The root cause is improper neutralization of special elements used in a command [CWE-77]. The web handler concatenates user-supplied content into a shell invocation rather than executing the underlying binary with safely parameterized arguments. No allowlist or escaping is applied to the appended portion of the command value.

Attack Vector

The attack vector is network-based and requires authenticated access to the device web interface. An attacker sends a crafted HTTP request to the web_action.do endpoint with a command parameter containing shell metacharacters followed by an arbitrary payload. The appended expression is evaluated by the shell with root privileges. The vulnerability mechanism is described in the GitHub Security Advisory.

Detection Methods for CVE-2025-65363

Indicators of Compromise

  • HTTP POST or GET requests to web_action.do containing shell metacharacters such as ;, |, &&, backticks, or $() inside the command parameter.
  • Unexpected child processes spawned by the web management daemon, including sh, cat, wget, curl, nc, or tftp.
  • Outbound connections from the access point management IP to unfamiliar external hosts shortly after administrative web sessions.
  • Unscheduled configuration changes, new administrative accounts, or modified startup scripts on AP_RGOS 11.1.x devices.

Detection Strategies

  • Inspect web server and management logs on Ruijie APs for web_action.do requests with non-alphanumeric content in the command parameter.
  • Forward access point syslog and HTTP logs to a centralized SIEM and alert on shell metacharacter patterns in URL parameters.
  • Baseline normal administrative request patterns and flag deviations such as unusual user agents, source IPs, or request frequency.

Monitoring Recommendations

  • Monitor authentication events on access point management interfaces for brute-force attempts and unusual login locations.
  • Track north-south and east-west traffic originating from access point management addresses to identify pivoting attempts.
  • Enable file integrity monitoring on configuration backups exported from the access point fleet.

How to Mitigate CVE-2025-65363

Immediate Actions Required

  • Restrict access to the access point web management interface to a dedicated management VLAN reachable only by trusted administrative hosts.
  • Rotate all administrative credentials on affected Ruijie RG-AP720-L devices and enforce strong, unique passwords.
  • Audit recent administrative sessions and HTTP logs for evidence of web_action.do abuse.
  • Disable remote web management on internet-exposed or guest-reachable interfaces until a vendor patch is applied.

Patch Information

At the time of publication, no vendor patch URL is listed in the advisory references. Administrators should consult the Ruijie official site and the GitHub Security Advisory for updated firmware releases addressing AP_RGOS 11.1.x. Apply firmware updates across the entire affected device fleet once available and validate that the web_action.do handler no longer accepts shell metacharacters.

Workarounds

  • Place access point management interfaces behind a firewall that allows inbound HTTP/HTTPS only from a defined administrative jump host.
  • Use network access control lists to block direct client-to-AP management traffic from production and guest VLANs.
  • Require VPN or bastion host access for any administrative session against AP_RGOS devices.
  • Increase logging verbosity on the web management daemon and forward logs off-device to preserve forensic evidence.
bash
# Example ACL restricting AP management access to a single admin host
access-list 110 permit tcp host 10.10.0.25 host 10.20.0.1 eq 443
access-list 110 deny   tcp any host 10.20.0.1 eq 443
access-list 110 deny   tcp any host 10.20.0.1 eq 80
access-list 110 permit ip any any

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.