cbcvebase.
CVE-2023-4169
published 2023-08-05

CVE-2023-4169: A vulnerability was found in Ruijie RG-EW1200G 1.0(1)B1P5. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the…

PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
47.11%
98.7th percentile
A vulnerability was found in Ruijie RG-EW1200G 1.0(1)B1P5. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/sys/set_passwd of the component Administrator Password Handler. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-236185 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
ruijierg-ew1200g
ruijierg-ew1200g_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/api/sys/set_passwd
otherapp.2fe6356cdd1ddd0eb8d6317d1a48d379.css
commandPOST /api/sys/set_passwd {"username":"web","admin_new":"<password>"}
  • Look for unauthenticated POST requests to /api/sys/set_passwd with a JSON body containing 'username' and 'admin_new' fields — this is the exploit payload for the password reset vulnerability.
  • A successful exploit returns HTTP 200 with a JSON body containing '"result":"ok"' and Content-Type application/json — use this as a confirmation matcher.
  • Identify Ruijie RG-EW1200G devices exposed on the internet by searching for the fingerprint CSS asset 'app.2fe6356cdd1ddd0eb8d6317d1a48d379.css' in HTTP response bodies (Shodan/FOFA).
  • ·The vulnerability affects specifically firmware version 1.0(1)B1P5 of the Ruijie RG-EW1200G; other firmware versions may not be vulnerable.
  • ·The Nuclei template is marked 'intrusive' because exploitation actively resets the administrator password to a random value, which is destructive to the target device's configuration.
  • ·The exploit requires only low-privilege (PR:L) authentication per CVSS scoring, meaning a logged-in non-admin user can trigger the password reset — not fully unauthenticated.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.