LiveActive security incident?Get immediate response
CVE Record

CVE-2020-36870: Ruijie Gateway EG & NBR Models v11.1(6)B9P1 - 11.9(4)B12P1 RCE

Various Ruijie Gateway EG and NBR models firmware versions 11.1(6)B9P1 < 11.9(4)B12P1 contain a code execution vulnerability in the EWEB management system that can be abused via front-end functionality. Attackers can exploit front-end code when features such as guest authentication, local server authentication, or screen mirroring are enabled to gain access or execute commands on affected devices. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-02-05 UTC.

CriticalCVSS 9.2Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

Ruijie EG and NBR gateway routers contain a flaw in their web management system that lets attackers run commands on the device without logging in. Shadowserver observed real-world exploitation in February 2025. If your network uses these gateways with guest auth, local server auth, or screen mirroring features enabled, an attacker reaching the management interface could take over the device and pivot into your network.

Executive priority

Treat as a same-week priority for any environment running Ruijie EG or NBR gateways. Active exploitation plus pre-authentication remote code execution at the network edge means a single unpatched device can become an entry point. Patch, restrict management access, and confirm no compromise has already occurred.

Technical view

CWE-94 code injection in the EWEB management front-end on Ruijie EG and NBR series gateway routers running firmware between 11.1(6)B9P1 and 11.9(4)B12P1. Pre-authentication code execution is reachable when guest authentication, local server authentication, or screen mirroring features are enabled. CVSS 4.0 base 9.2 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H). Shadowserver flagged in-the-wild exploitation on 2025-02-05 UTC. Vendor and CNVD advisories provide patched firmware.

Likely exposure

Affects nineteen RG-EG and EG32xx gateway models running firmware in the listed range when EWEB-exposed features (guest auth, local server auth, screen mirroring) are enabled. Devices with the management interface reachable from the internet or untrusted segments are at highest risk. Ruijie deployments are most common in APAC enterprise, education, and hospitality networks.

Exploitation context

Active exploitation has been observed in the wild: the Shadowserver Foundation reported first sightings on 2025-02-05 UTC per the CVE record. Not currently listed in CISA KEV as of the source bundle. Pre-auth, network-reachable, low complexity — attractive for opportunistic mass scanning and botnet recruitment of edge devices.

Researcher notes

CVSS 4.0 vector indicates Attack Requirements present (AT:P), consistent with the stated precondition that specific EWEB features must be enabled. CWE-94 plus front-end vector suggests injection into a server-side handler reached through web UI functionality. VulnCheck advisory and CNVD-2021-09650 likely contain additional technical detail; confirm exact fixed-version mapping per model on Ruijie's advisories. Note: CVE ID is 2020 but published 2025-11-07 — late-disclosure case.

Mitigation direction

  • Inventory Ruijie EG and NBR gateways and identify firmware versions in the affected range.
  • Apply the patched firmware referenced in Ruijie's security advisories (ruijie.com.cn/gy/xw-aqtg-zw/85638 and 86747).
  • Restrict EWEB management access to trusted management VLANs; block from internet and user segments.
  • Disable guest authentication, local server authentication, and screen mirroring features unless required.
  • Rotate device credentials and review device configuration for unauthorized changes after patching.
  • Monitor for outbound connections from gateways to unfamiliar destinations as a compromise indicator.

Validation and detection

  • Enumerate Ruijie EG/NBR devices via NMS or configuration management and record firmware build strings.
  • Cross-reference firmware against the affected range 11.1(6)B9P1 through 11.9(4)B12P1.
  • Confirm whether guest auth, local server auth, or screen mirroring are enabled on each device.
  • Test that EWEB management ports are not reachable from untrusted networks using an external scan.
  • Review device, firewall, and proxy logs for anomalous EWEB requests since early 2025.
  • Verify post-patch firmware version matches Ruijie's fixed release before closing the ticket.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-94: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-36870 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.2 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
5Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.2CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

9.2Critical
CVSS 4.0 vector shape for CVE-2020-36870Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG1000C11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG2000F11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG2000K11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG2000L11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG2000CE11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG2000SE11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG2000GE11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG2000XE11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG2000UE11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG3000CE11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG3000SE11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG3000GE11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG3000ME11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG3000UE11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG3000XE11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.RG-EG2100-P11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.EG321011.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.EG322011.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.EG323011.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.EG325011.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.NBR108G-P11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.NBR1000G-E11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.NBR1300G-E11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.NBR1700G-E11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.NBR2100G-E11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.NBR2500D-E11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.NBR3000D-E11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.NBR6120-E11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.NBR6135-E11.1(6)B9P1unaffected
Beijing Star-Net Ruijie Network Technology Co., Ltd.NBR6205-E11.1(6)B9P1unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-94 · source CWE mapping

Improper Control of Generation of Code ('Code Injection')

Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.