CVE-2024-5337 in RG-UAC
Summary
by MITRE • 05/25/2024
A vulnerability was found in Ruijie RG-UAC up to 20240516 and classified as critical. This issue affects some unknown processing of the file /view/systemConfig/sys_user/user_commit.php. The manipulation of the argument email2/user_name leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266243. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/22/2025
The vulnerability identified as CVE-2024-5337 represents a critical os command injection flaw in Ruijie RG-UAC devices running firmware versions up to 20240516. This vulnerability resides within the system configuration module, specifically in the file /view/systemConfig/sys_user/user_commit.php which handles user management operations. The flaw manifests when processing user input parameters, particularly the email2 and user_name fields, which are not properly sanitized before being incorporated into system commands. This creates a direct pathway for malicious actors to execute arbitrary operating system commands on the affected device through carefully crafted input payloads. The vulnerability's classification as critical stems from its remote exploitability and the potential for full system compromise, making it a significant threat to network security infrastructure. The issue falls under CWE-77 which specifically addresses improper neutralization of special elements used in OS commands, a well-documented weakness in software security that has been exploited in numerous high-profile attacks. The vulnerability's public disclosure through VDB-266243 indicates that threat actors have likely already developed working exploits, increasing the urgency for immediate remediation. The affected Ruijie RG-UAC devices are commonly deployed in enterprise network environments as unified access control systems, making this vulnerability particularly dangerous as it could allow attackers to gain unauthorized administrative access to critical network infrastructure. Attackers can leverage this vulnerability to execute commands such as system shell access, data exfiltration, privilege escalation, and potentially establish persistent backdoors within the network. The remote nature of the attack vector means that exploitation does not require physical access to the device, making it accessible to attackers from anywhere on the internet. The lack of vendor response to early disclosure attempts is particularly concerning as it suggests either inadequate security practices within the vendor organization or potential delays in addressing critical security issues. This vulnerability directly maps to several ATT&CK techniques including T1059.001 for command and scripting interpreter, T1068 for local privilege escalation, and T1566 for phishing with malicious attachments, as attackers could use the compromised device to launch further attacks within the network. The vulnerability's impact extends beyond simple command execution as it provides attackers with complete control over the device's operating system, potentially enabling them to modify network configurations, monitor traffic, and disrupt services. The affected system configuration module suggests that this vulnerability could allow attackers to modify user accounts, access system logs, and potentially gain access to sensitive network information. Organizations using Ruijie RG-UAC devices should immediately implement network segmentation to isolate these devices from critical network segments, disable unnecessary services, and deploy network monitoring solutions to detect potential exploitation attempts. The remediation strategy should include immediate firmware updates from Ruijie, though the vendor's lack of response raises concerns about the timeliness of available patches. Until official patches are available, network administrators should consider implementing firewall rules to restrict access to the affected device, disable the vulnerable web interface where possible, and conduct thorough network scans to identify any potential compromise. The vulnerability demonstrates the importance of input validation and proper sanitization of user-supplied data, as well as the critical need for vendors to maintain responsive security disclosure practices. This case highlights the risks associated with legacy network security devices that may not receive timely security updates, particularly when vendors fail to respond to security disclosures. The potential for this vulnerability to be used as a foothold for lateral movement within networks makes it particularly dangerous, as attackers could use compromised RG-UAC devices to pivot to other network resources and escalate their attacks. The security community should monitor for additional related vulnerabilities in similar network infrastructure devices, as this flaw may indicate broader security issues within the Ruijie product line. Organizations should also consider implementing network behavior analysis tools to detect anomalous command execution patterns that might indicate exploitation attempts, and establish incident response procedures specifically tailored to address network device compromises. The vulnerability serves as a reminder of the critical importance of maintaining up-to-date security patches and the potential consequences of delayed vendor responses to security threats.