cbcvebase.
CVE-2021-43164
published 2022-05-04

CVE-2021-43164: A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the…

PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
34.95%
98.2th percentile
A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the updateVersion function in /cgi-bin/luci/api/wireless.

Affected

1 ranges
VendorProductVersion rangeFixed in
ruijienetworksreyeeos<= 1.55.1915_ew_3.0\(1\)b11p55

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://{TARGET}/cgi-bin/luci/api/auth
urlhttp://{TARGET}/cgi-bin/luci/api/wireless?auth={sid}
path/cgi-bin/luci/api/wireless
path/cgi-bin/luci/api/auth
otherRjYkhwzx$2018!
command'; {COMMAND} #
  • Detect POST requests to /cgi-bin/luci/api/wireless containing the 'updateVersion' method with a 'jsonparam' value including shell injection characters (e.g., single-quote, semicolon, hash).
  • Detect POST requests to /cgi-bin/luci/api/auth with JSON body containing 'method':'login' and 'encry':true, which is the authentication step of the exploit chain.
  • Flag use of the hardcoded AES encryption key 'RjYkhwzx$2018!' in traffic or on-disk scripts; this key is used by the exploit to encrypt credentials before sending to the auth endpoint.
  • Monitor for the 'jsonparam' field in POST bodies to /cgi-bin/luci/api/wireless containing shell metacharacters such as '; ... #', indicative of command injection via the updateVersion function.
  • ·The exploit requires authentication; an attacker must first obtain valid credentials (or use default credentials) to retrieve a session ID (sid) before triggering the RCE via the updateVersion endpoint.
  • ·Affected versions are ReyeeOS 1.55.1915 / EW_3.0(1)B11P35 and EW_3.0(1)B11P55; detections should be scoped to Ruijie RG-EW series devices running these firmware versions.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.