Primary

Context

Ruijie RG-S1930 and RG-NBS5100-24GT4SFP OS Command Injection Vulnerability

Vulnerability

An OS command injection vulnerability has been identified in Ruijie RG-S1930 switches running version S1930SWITCH_3.0(1)B11P230, as well as in the RG-NBS5100-24GT4SFP model running ReyeeOS248. This vulnerability allows authenticated remote attackers to execute arbitrary commands on the affected device by sending specially crafted POST requests to the module_update in the file /usr/local/lua/dev_config/ace_sw.lua.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to the module_update endpoint in the /usr/local/lua/dev_config/ace_sw.lua file. The request must be crafted to include the desired commands for execution on the server.

Added: Dec 11, 2025, 7:17 PM

Updated: Dec 11, 2025, 7:17 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

7.5

exploitability

6.2

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

7.5

exploitability

6.2

remediation

0.0

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ruijie RG-S1930 and RG-NBS5100-24GT4SFP OS Command Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Ruijie RG-S1930

Ruijie RG-NBS5100-24GT4SFP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating