Description
Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of file type, path, or extension. A remote attacker can upload a crafted PHP file and then access it from the web root, resulting in arbitrary code execution in the context of the web service. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-14 UTC.
References (5)
Core 5
Core References
Various Sources exploit
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/ruijie/ruijie-nbr-fileupload.yaml
Various Sources exploit
https://cn-sec.com/archives/1995366.html
Various Sources exploit
https://www.cnblogs.com/Domren/articles/19093295
Various Sources exploit
https://rfk0z.github.io/posts/Ruijie-NBR-router-fileupload-php-arbitrary-file-upload-vulnerability/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ruijie-networks-nbr-routers-unauthenticated-arbitrary-file-upload-via-fileuploadphp
Scores
CVSS v4
9.3
EPSS
0.0075
EPSS Percentile
73.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
VulnCheck KEV
2025-11-24
CWE
CWE-434
Status
published
Products (1)
Beijing Star-Net Ruijie Network Technology Co., Ltd./NBR Series Routers
Published
Nov 24, 2025
Tracked Since
Feb 18, 2026