CVE-2021-43164
published 2022-05-04CVE-2021-43164: A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the…
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
34.95%
98.2th percentile
A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the updateVersion function in /cgi-bin/luci/api/wireless.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruijienetworks | reyeeos | <= 1.55.1915_ew_3.0\(1\)b11p55 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /cgi-bin/luci/api/wireless containing the 'updateVersion' method with a 'jsonparam' value including shell injection characters (e.g., single-quote, semicolon, hash). ↗
- →Detect POST requests to /cgi-bin/luci/api/auth with JSON body containing 'method':'login' and 'encry':true, which is the authentication step of the exploit chain. ↗
- →Flag use of the hardcoded AES encryption key 'RjYkhwzx$2018!' in traffic or on-disk scripts; this key is used by the exploit to encrypt credentials before sending to the auth endpoint. ↗
- →Monitor for the 'jsonparam' field in POST bodies to /cgi-bin/luci/api/wireless containing shell metacharacters such as '; ... #', indicative of command injection via the updateVersion function. ↗
- ·The exploit requires authentication; an attacker must first obtain valid credentials (or use default credentials) to retrieve a session ID (sid) before triggering the RCE via the updateVersion endpoint. ↗
- ·Affected versions are ReyeeOS 1.55.1915 / EW_3.0(1)B11P35 and EW_3.0(1)B11P55; detections should be scoped to Ruijie RG-EW series devices running these firmware versions. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/167099/Ruijie-Reyee-Mesh-Router-Remote-Code-Execution.htmlhttp://ruijie.comhttps://seclists.org/fulldisclosure/2022/May/0http://packetstormsecurity.com/files/167099/Ruijie-Reyee-Mesh-Router-Remote-Code-Execution.htmlhttp://ruijie.comhttps://seclists.org/fulldisclosure/2022/May/0
2022-05-04
Published