Security readout for executives and security teams
Plain-English summary
Ruijie EG and NBR gateway routers contain a flaw in their web management system that lets attackers run commands on the device without logging in. Shadowserver observed real-world exploitation in February 2025. If your network uses these gateways with guest auth, local server auth, or screen mirroring features enabled, an attacker reaching the management interface could take over the device and pivot into your network.
Executive priority
Treat as a same-week priority for any environment running Ruijie EG or NBR gateways. Active exploitation plus pre-authentication remote code execution at the network edge means a single unpatched device can become an entry point. Patch, restrict management access, and confirm no compromise has already occurred.
Technical view
CWE-94 code injection in the EWEB management front-end on Ruijie EG and NBR series gateway routers running firmware between 11.1(6)B9P1 and 11.9(4)B12P1. Pre-authentication code execution is reachable when guest authentication, local server authentication, or screen mirroring features are enabled. CVSS 4.0 base 9.2 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H). Shadowserver flagged in-the-wild exploitation on 2025-02-05 UTC. Vendor and CNVD advisories provide patched firmware.
Likely exposure
Affects nineteen RG-EG and EG32xx gateway models running firmware in the listed range when EWEB-exposed features (guest auth, local server auth, screen mirroring) are enabled. Devices with the management interface reachable from the internet or untrusted segments are at highest risk. Ruijie deployments are most common in APAC enterprise, education, and hospitality networks.
Exploitation context
Active exploitation has been observed in the wild: the Shadowserver Foundation reported first sightings on 2025-02-05 UTC per the CVE record. Not currently listed in CISA KEV as of the source bundle. Pre-auth, network-reachable, low complexity — attractive for opportunistic mass scanning and botnet recruitment of edge devices.
Researcher notes
CVSS 4.0 vector indicates Attack Requirements present (AT:P), consistent with the stated precondition that specific EWEB features must be enabled. CWE-94 plus front-end vector suggests injection into a server-side handler reached through web UI functionality. VulnCheck advisory and CNVD-2021-09650 likely contain additional technical detail; confirm exact fixed-version mapping per model on Ruijie's advisories. Note: CVE ID is 2020 but published 2025-11-07 — late-disclosure case.
Mitigation direction
- Inventory Ruijie EG and NBR gateways and identify firmware versions in the affected range.
- Apply the patched firmware referenced in Ruijie's security advisories (ruijie.com.cn/gy/xw-aqtg-zw/85638 and 86747).
- Restrict EWEB management access to trusted management VLANs; block from internet and user segments.
- Disable guest authentication, local server authentication, and screen mirroring features unless required.
- Rotate device credentials and review device configuration for unauthorized changes after patching.
- Monitor for outbound connections from gateways to unfamiliar destinations as a compromise indicator.
Validation and detection
- Enumerate Ruijie EG/NBR devices via NMS or configuration management and record firmware build strings.
- Cross-reference firmware against the affected range 11.1(6)B9P1 through 11.9(4)B12P1.
- Confirm whether guest auth, local server auth, or screen mirroring are enabled on each device.
- Test that EWEB management ports are not reachable from untrusted networks using an external scan.
- Review device, firewall, and proxy logs for anomalous EWEB requests since early 2025.
- Verify post-patch firmware version matches Ruijie's fixed release before closing the ticket.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-94: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2020-36870 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.2 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
9.2CriticalVector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://www.ruijie.com.cn/gy/xw-aqtg-zw/85638/CVE reference · vendor-advisory, patch
- https://www.ruijie.com.cn/gy/xw-aqtg-gw/86747/CVE reference · vendor-advisory, patch
- https://www.cnvd.org.cn/flaw/show/CNVD-2021-09650CVE reference · government-resource, third-party-advisory
- https://www.vulncheck.com/advisories/ruijie-networks-eg-and-nbr-series-routers-rceCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
