CVE-2025-11141
BaseFortify
Publication date: 2025-09-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ruijie | nbr2100g-e | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS command injection flaw in the Ruijie NBR2100G-E router, specifically in the 'listAction' function of the file /itbox_pi/branch_passw.php?a=list. It occurs because the 'city' parameter is improperly handled and directly embedded into system commands without proper sanitization. This allows an attacker to remotely inject and execute arbitrary operating system commands on the device, potentially compromising the system. The vulnerability can be exploited remotely and does not require authentication according to some sources. [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can impact the confidentiality, integrity, and availability of the affected system. An attacker can execute arbitrary commands remotely, potentially gaining control over the device, accessing sensitive information, modifying data, or disrupting services. Since the attack can be performed remotely and may not require authentication, it poses a significant security risk. The affected device could be used as a foothold for further attacks within a network. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/itbox_pi/branch_passw.php?a=list` that include the `city` parameter with unusual or command injection payloads. For example, sending a crafted POST request such as `city=|echo `whoami` >x.php` can test if the system is vulnerable by checking if the command executes and creates the file `x.php`. Network intrusion detection systems (NIDS) can be configured to alert on such suspicious payloads containing command separators like `|`, `;`, `&`, or redirection operators like `>` in the `city` parameter. Commands to test might include using curl or similar tools to send POST requests with payloads designed to trigger command execution, e.g.: `curl -X POST -d "city=|whoami" http://<target>/itbox_pi/branch_passw.php?a=list`. Detection involves verifying if the injected commands execute or if unexpected files or outputs appear on the system. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement strict input validation and sanitization on the `city` parameter, allowing only safe characters such as alphanumeric, hyphens, and periods, and rejecting any metacharacters or command separators like `;`, `|`, `&`, `$`, `>`. 2) Avoid using direct shell command execution functions such as `system()`, `popen()`, or `exec()` with user input. Instead, use secure APIs that do not invoke the shell or separate commands and arguments safely. 3) Apply the principle of least privilege by ensuring the web server or CGI process handling the requests runs with minimal privileges, not as root or administrator, to limit the impact of any exploit. Since no vendor patch or official fix is available, consider replacing the affected product to fully mitigate the risk. [2, 1]