Ruijie NBR Series Routers Unauthenticated Arbitrary File Upload Vulnerability Allowing Remote Code Execution

An arbitrary file upload vulnerability has been identified in Ruijie NBR series routers, specifically within the fileupload.php endpoint. This vulnerability allows remote attackers to upload files without proper validation or sanitization of file types, paths, or extensions. Exploitation of this vulnerability could lead to unauthorized code execution on the device, as uploaded PHP files can be executed from the web root. Evidence of exploitation was recorded by the Shadowserver Foundation on January 14, 2025.

Impact

Successful exploitation allows for arbitrary code execution on the router, with the executed code running in the context of the web service.

Reproduction

To reproduce this vulnerability, send a POST request to /ddi/server/fileupload.php. Include the uploadDir and name parameters in the request. The uploadDir parameter can be manipulated to traverse directories, while the name parameter should be set to a PHP file name. The request must also include a file payload, such as a PHP file containing a PHP code snippet, like a phpinfo() command. Once the file is uploaded, it can be accessed from the web server's root directory.

Remediation

Users are advised to upgrade to the latest firmware version.