| Title | Ruijie EG105G-P 1.40 Command Injection |
|---|
| Description | An authenticated command injection issue was identified in the Ruijie Reyee
EG105G-P web management interface.
The vulnerable path is the authenticated JSON-RPC diagnose endpoint:
POST /cgi-bin/luci/api/diagnose?auth=<sid>
When the nslookup diagnostic method is called, the user-controlled
params.target value is inserted into a shell command without shell quoting.
Supplying a newline character in params.target causes the shell to execute an
additional command after the intended nslookup command.
The issue was reproduced against a live EG105G-P device by injecting a newline
followed by a curl request to a local HTTP callback listener. The callback was
received from the device IP address, and the diagnose API response included the
callback listener response body. |
|---|
| Source | ⚠️ https://github.com/ictrun/java/issues/6 |
|---|
| User | ictrun (UID 83482) |
|---|
| Submission | 05/14/2026 03:29 (1 month ago) |
|---|
| Moderation | 06/14/2026 09:02 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370840 [Ruijie EG105G-P 2.340 JSON-RPC Diagnose Endpoint diagnose nslookup params.target command injection] |
|---|
| Points | 20 |
|---|