CVE-2026-12197
Received Received - Intake
Ruijie EG105G-P Command Injection via JSON-RPC Diagnose

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulDB

Description
A security flaw has been discovered in Ruijie EG105G-P 2.340. The impacted element is the function nslookup of the file /cgi-bin/luci/api/diagnose of the component JSON-RPC Diagnose Endpoint. Performing a manipulation of the argument params.target results in command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-12197
EUVD
EUVD-2026-36673
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ruijie eg105g-p 2.340
ruijie reyee 1.202.2428
ruijie eg 3.0(1)b11p340
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12197 is an authenticated command injection vulnerability found in the Ruijie Reyee EG105G-P web management interface, specifically in the JSON-RPC diagnose endpoint at POST /cgi-bin/luci/api/diagnose. The vulnerability exists in the nslookup diagnostic method where the user-controlled parameter params.target is inserted into a shell command without proper shell quoting.

An attacker with valid authentication credentials can manipulate params.target by including a newline character to terminate the intended nslookup command and inject additional shell commands. This allows remote command execution on the device.

The vulnerability affects multiple firmware versions and can be exploited remotely over HTTP if the web management interface is accessible.

Impact Analysis

This vulnerability allows an attacker with administrator-level authentication to execute arbitrary shell commands remotely on the affected device.

Successful exploitation can lead to full compromise of the device, including unauthorized access, data theft, disruption of network services, or using the device as a foothold for further attacks within the network.

Because the exploit has been publicly released, the risk of attacks leveraging this vulnerability is increased.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious JSON-RPC calls to the endpoint /cgi-bin/luci/api/diagnose, specifically POST requests invoking the nslookup method with manipulated params.target values.

One way to detect exploitation attempts is to look for unusual command injection patterns such as newline characters or unexpected shell commands embedded in the params.target argument.

For example, you can use network traffic inspection tools or web server logs to search for POST requests containing the nslookup method and suspicious payloads.

  • Use tools like tcpdump or Wireshark to capture HTTP POST traffic to /cgi-bin/luci/api/diagnose.
  • Search web server logs for POST requests with 'nslookup' and unusual characters in params.target, such as newline characters (%0a or \n).
  • Example grep command on logs: grep -i 'nslookup' /var/log/httpd/access.log | grep -E '%0a|\n'
  • Monitor for unexpected outbound connections initiated by the device, which may indicate command injection exploitation (e.g., curl requests to external hosts).
Mitigation Strategies

Immediate mitigation steps include restricting access to the web management interface to trusted networks only, preventing unauthorized remote access.

Monitor and block suspicious JSON-RPC calls to the /cgi-bin/luci/api/diagnose endpoint, especially those invoking the nslookup method with unusual parameters.

Ensure that only authenticated and authorized users have access to the device management interface, as the exploit requires valid credentials.

Long-term remediation involves vendor patching to fix the command injection by avoiding shell string concatenation, using safer argument-vector execution APIs, and implementing strict input validation and quoting.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12197. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart