Man-in-the-Middle Remote Code Execution via CWMP in ReyeeOS
Summary
ReyeeOS versions prior to EW_3.0(1)B11P219 contain an unprotected CWMP communication that allows attackers to intercept and manipulate device communication through a man-in-the-middle (MITM) attack. Attackers can create a fake CWMP server to inject and execute arbitrary commands on Ruijie Reyee Cloud devices by exploiting the unprotected HTTP polling requests.
Vulnerability Details
The vulnerability exists because the CWMP communication between Ruijie Reyee devices and the cloud controller uses unencrypted HTTP instead of HTTPS. This allows an attacker positioned on the network to:
- Intercept CWMP traffic between the device and cloud controller
- Inject arbitrary commands into the command queue
- Execute those commands on the target device
The communication flow follows the TR-069 CWMP protocol standard, where the device periodically polls the ACS (Auto Configuration Server) for pending commands.
Affected Versions
- ReyeeOS 1.204.1614 and prior
- Ruijie EW1200G-PRO (firmware EW_3.0(1)B11P204 confirmed vulnerable)
Patched Versions
- Firmware EW_3.0(1)B11P219 and later
Impact
A network-adjacent attacker could:
- Execute arbitrary OS commands on the device
- Gain persistent access to the router
- Pivot to attack devices on the local network
- Intercept or modify network traffic passing through the router
Timeline (GMT+7)
- 2023-04-15: Vulnerability discovered
- 2023-04-17: Initial contact with vendor attempted
- 2023-05-25: Full vulnerability details sent to vendor
- 2023-07-02: Vendor releases firmware EW_3.0(1)B11P219 as patch
- 2023-08-04: No vendor response - public disclosure
- 2025-12-15: CVE Published