CVE-2026-12197 Overview
CVE-2026-12197 is a command injection vulnerability in the Ruijie EG105G-P router running firmware version 2.340. The flaw resides in the nslookup function of the /cgi-bin/luci/api/diagnose endpoint, part of the JSON-RPC Diagnose component. Attackers can manipulate the params.target argument to inject arbitrary operating system commands. The exploit code is publicly available, increasing the likelihood of opportunistic attacks against exposed devices. The vendor was contacted prior to public disclosure but did not respond. The weakness is classified under [CWE-74] for improper neutralization of special elements in output used by a downstream component.
Critical Impact
Authenticated attackers can execute arbitrary commands on the router operating system through a crafted JSON-RPC request, leading to full device compromise.
Affected Products
- Ruijie EG105G-P router
- Firmware version 2.340
- /cgi-bin/luci/api/diagnose JSON-RPC Diagnose Endpoint
Discovery Timeline
- 2026-06-15 - CVE-2026-12197 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-12197
Vulnerability Analysis
The Ruijie EG105G-P exposes a diagnostic JSON-RPC API at /cgi-bin/luci/api/diagnose. This endpoint accepts diagnostic operations including nslookup, which performs DNS resolution against a user-supplied target. The router passes the params.target field directly into a shell command without sanitization or argument escaping. An attacker who can reach the management interface and authenticate as a privileged user can append shell metacharacters such as semicolons, pipes, or backticks to params.target. The injected payload executes with the privileges of the web service, which on consumer router platforms typically runs as root. Public proof-of-concept material has been released, and the EPSS score of 2.385% places the issue in the 81st percentile for likely exploitation.
Root Cause
The nslookup handler concatenates user input into a shell command string rather than invoking the binary through a safe execve-style API with separate arguments. No allowlist filters or character escaping is applied to the target parameter before invocation. This pattern is the classic [CWE-74] injection weakness.
Attack Vector
Exploitation requires network access to the router's management interface and high-privilege authentication, as reflected in the CVSS vector component PR:H. The attacker sends a JSON-RPC POST request to /cgi-bin/luci/api/diagnose with a params.target value containing shell separators followed by an arbitrary command. The response either reflects command output or executes silently, depending on how the handler captures stdout. Successful exploitation yields code execution on the device, allowing persistence, traffic interception, lateral movement into the LAN, or recruitment into a botnet.
No verified exploit code is published in a structured advisory. Refer to the GitHub Issue Discussion and VulDB CVE-2026-12197 entries for technical details.
Detection Methods for CVE-2026-12197
Indicators of Compromise
- HTTP POST requests to /cgi-bin/luci/api/diagnose containing shell metacharacters (;, |, &, `, $() in the params.target JSON field.
- Unexpected child processes spawned by the LuCI web service, such as shells, wget, curl, tftp, or nc.
- Outbound connections from the router to unfamiliar hosts shortly after a diagnose API call.
Detection Strategies
- Inspect web server and reverse proxy logs for requests targeting /cgi-bin/luci/api/diagnose and parse the JSON body for non-hostname characters in target.
- Deploy network intrusion detection signatures that match command injection payloads delivered to the diagnose endpoint over HTTP or HTTPS.
- Correlate management-plane authentication events with diagnose API usage to flag anomalous administrative sessions.
Monitoring Recommendations
- Forward router syslog and HTTP access logs to a centralized SIEM for retention and rule-based alerting.
- Alert on any process execution from the LuCI service that is not on a known baseline of diagnostic binaries.
- Monitor for new outbound connections from the device to internet hosts on common payload retrieval ports.
How to Mitigate CVE-2026-12197
Immediate Actions Required
- Remove the router's management interface from any untrusted network and restrict it to a dedicated administrative VLAN.
- Rotate administrator credentials and audit account inventory to remove any unauthorized high-privilege accounts.
- Inspect device configuration for unexpected port forwards, DNS overrides, or scheduled tasks that may indicate prior compromise.
Patch Information
At the time of publication, no vendor patch has been referenced in the advisory. Ruijie did not respond to the original disclosure. Operators should track the VulDB Vulnerability #370840 entry and Ruijie's support portal for firmware updates superseding version 2.340.
Workarounds
- Disable remote management on the WAN interface and limit LAN-side access to specific administrator workstations by IP.
- Place an upstream firewall rule blocking POST requests to /cgi-bin/luci/api/diagnose from non-administrative hosts.
- Where feasible, replace the affected EG105G-P firmware with a known-good version or migrate to a supported platform.
# Example upstream ACL restricting access to the diagnose endpoint
iptables -A FORWARD -p tcp --dport 443 -d <router_ip> \
-m string --string "/cgi-bin/luci/api/diagnose" --algo bm \
! -s <admin_workstation_ip> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

