Description
Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of file type, path, or extension. A remote attacker can upload a crafted PHP file and then access it from the web root, resulting in arbitrary code execution in the context of the web service. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-14 UTC.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-198992
1. Vulnerability Assessment and Severity Evaluation
The vulnerability EUVD-2025-198992 affects Ruijie NBR series routers, specifically involving an unauthenticated arbitrary file upload vulnerability via the /ddi/server/fileupload.php endpoint. This vulnerability allows an attacker to upload a crafted PHP file and execute arbitrary code in the context of the web service. The severity of this vulnerability is rated with a CVSS Base Score of 9.3, indicating a critical risk.
CVSS Vector Breakdown:
- AV:N (Network Vector): The vulnerability is exploitable over the network.
- AC:L (Low Complexity): The attack requires low complexity to execute.
- AT:N (No Authentication): No authentication is required to exploit the vulnerability.
- PR:N (No Privileges Required): No privileges are required to exploit the vulnerability.
- UI:N (No User Interaction): No user interaction is required to exploit the vulnerability.
- VC:H (High Confidentiality Impact): The vulnerability has a high impact on confidentiality.
- VI:H (High Integrity Impact): The vulnerability has a high impact on integrity.
- VA:H (High Availability Impact): The vulnerability has a high impact on availability.
- SC:N (No Scope Change): The vulnerability does not change the security scope.
- SI:N (No Scope Change): The vulnerability does not change the security scope.
- SA:N (No Scope Change): The vulnerability does not change the security scope.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Unauthenticated Arbitrary File Upload: An attacker can upload a malicious PHP file to the
/ddi/server/fileupload.phpendpoint without authentication. - Remote Code Execution (RCE): Once the malicious file is uploaded, the attacker can execute arbitrary code by accessing the file from the web root.
Exploitation Methods:
- Crafted PHP File: The attacker crafts a PHP file with malicious code and uploads it using the vulnerable endpoint.
- Web Shell: The uploaded PHP file can act as a web shell, allowing the attacker to execute commands on the server.
- Persistent Access: The attacker can maintain persistent access to the router, potentially leading to further exploitation and data exfiltration.
3. Affected Systems and Software Versions
The vulnerability affects Ruijie NBR series routers. Specific versions are not mentioned in the entry, but it is crucial to assume that all versions prior to the patch release are vulnerable. Organizations using these routers should verify the version and apply the necessary patches or updates.
4. Recommended Mitigation Strategies
Immediate Actions:
- Patch Management: Apply the latest security patches and updates provided by Ruijie Networks.
- Access Control: Implement strict access controls and network segmentation to limit exposure.
- Monitoring: Enhance monitoring and logging for suspicious activities, especially around the
/ddi/server/fileupload.phpendpoint.
Long-Term Strategies:
- Regular Audits: Conduct regular security audits and vulnerability assessments.
- Intrusion Detection: Deploy intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect and prevent unauthorized access.
- User Education: Educate users and administrators about the risks and best practices for securing network devices.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to European organizations using Ruijie NBR series routers. Given the critical nature of routers in network infrastructure, successful exploitation could lead to widespread disruptions, data breaches, and potential loss of sensitive information. The European Union's cybersecurity frameworks, such as the Network and Information Systems (NIS) Directive, emphasize the importance of securing critical infrastructure, making this vulnerability a high priority for mitigation.
6. Technical Details for Security Professionals
Vulnerability Details:
- Endpoint:
/ddi/server/fileupload.php - Parameters:
name,uploadDir - File Upload Mechanism: The endpoint accepts multipart file content without adequate validation or sanitization.
Exploitation Evidence:
- Observed by Shadowserver Foundation: Exploitation evidence was observed on 2025-01-14 UTC, indicating active exploitation in the wild.
References:
- NVD: CVE-2023-7330
- Chinese Security Blogs: cn-sec.com, cnblogs.com
- GitHub Repositories: Nuclei Templates, rfk0z Blog
- VulnCheck Advisory: VulnCheck
Aliases:
- CVE-2023-7330
- GHSA-m5qv-5372-fh5j
Assigner:
- VulnCheck
ENISA IDs:
- Product: NBR Series Routers (ID: d3032f6c-8441-34c5-b215-5aa1feb7cc30)
- Vendor: Beijing Star-Net Ruijie Network Technology Co., Ltd. (ID: fdf43105-f554-30b2-bb61-960dbfe12a78)
Conclusion
The vulnerability EUVD-2025-198992 in Ruijie NBR series routers is critical and requires immediate attention. Organizations should prioritize patching and implementing robust security measures to mitigate the risk. The European cybersecurity landscape must remain vigilant against such threats to protect critical infrastructure and sensitive data.