CVE-2024-2909 in RG-EG350
Summary
by MITRE • 03/26/2024
A vulnerability classified as critical was found in Ruijie RG-EG350 up to 20240318. Affected by this vulnerability is the function setAction of the file /itbox_pi/networksafe.php?a=set of the component HTTP POST Request Handler. The manipulation of the argument bandwidth leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257977 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/03/2025
The vulnerability identified as CVE-2024-2909 represents a critical os command injection flaw within Ruijie RG-EG350 network equipment firmware versions up to 20240318. This vulnerability resides in the HTTP POST Request Handler component, specifically within the setAction function of the /itbox_pi/networksafe.php?a=set file. The flaw manifests when processing the bandwidth argument, which allows attackers to inject malicious operating system commands directly into the system's execution pipeline. The vulnerability's critical classification stems from its remote exploitability and the potential for full system compromise, as command injection attacks can enable attackers to execute arbitrary code with the privileges of the affected service.
The technical implementation of this vulnerability follows the common pattern of os command injection where user-supplied input is directly concatenated into system commands without proper sanitization or validation. When an attacker submits a malicious value for the bandwidth parameter through the HTTP POST request handler, the system processes this input and incorporates it into underlying shell commands, creating an opportunity for arbitrary command execution. This flaw aligns with CWE-77 and CWE-88 categories from the CWE database, which specifically address command injection vulnerabilities where user-controllable data is used in command construction. The attack vector requires remote access to the device's web interface, making it particularly dangerous as it can be exploited from outside the network perimeter without requiring physical access or prior authentication.
The operational impact of this vulnerability extends beyond simple command execution, as it can enable attackers to gain complete control over the affected network equipment. Successful exploitation could allow threat actors to modify network configurations, redirect traffic, establish persistence mechanisms, or even use the device as a pivot point for attacking other systems within the network. The fact that this vulnerability has been publicly disclosed and has an assigned VDB identifier indicates that it is actively being used in the wild, making immediate remediation critical. Network defenders must recognize that compromised network equipment can serve as a foundation for broader attacks, potentially enabling lateral movement, data exfiltration, or disruption of network services, which aligns with tactics described in the MITRE ATT&CK framework under T1059.001 for command and scripting interpreter and T1566 for phishing techniques that might be used to initially gain access.
Mitigation strategies for CVE-2024-2909 should prioritize immediate firmware updates from Ruijie, although the vendor's lack of response to early disclosure raises concerns about timely patch availability. Organizations should implement network segmentation to limit access to affected devices and monitor for suspicious HTTP POST requests targeting the vulnerable endpoint. Access controls should be strengthened through authentication mechanisms, network access control lists, and firewall rules that restrict access to administrative interfaces. Additionally, network monitoring should focus on identifying unusual command execution patterns and anomalous traffic to the affected component. The vulnerability's remote exploitability necessitates continuous vulnerability scanning and network monitoring to detect exploitation attempts, as well as maintaining detailed logs of administrative activities for forensic analysis. Organizations should also consider implementing network intrusion detection systems specifically configured to detect command injection patterns in HTTP traffic to provide early warning of exploitation attempts.