PT-2025-51299 · Ruijie · Reyeeos
Riyan Firmansyah
·
Published
2025-12-15
·
Updated
2025-12-21
·
CVE-2023-53881
CVSS v4.0
9.2
Critical
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
ReyeeOS version 1.204.1614
Description
ReyeeOS version 1.204.1614 contains an unencrypted CWMP communication issue that allows attackers to intercept and manipulate device communication through a man-in-the-middle attack. Attackers can create a fake CWMP server to inject and execute arbitrary commands on Ruijie Reyee Cloud devices by exploiting unprotected HTTP polling requests. The vulnerability enables trivial man-in-the-middle attacks for remote code execution. The communication occurs via unencrypted channels, allowing interception of data transmitted between the device and the CWMP server.
Recommendations
ReyeeOS version 1.204.1614 should be updated to a newer version that contains a fix for this vulnerability.
Exploit
Fix
RCE
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Reyeeos