Remote code execution vulnerability in Ruijie Networks Product: RG-EW series home routers EW_3.0(1)B11P204, RG-NBS and RG-S1930 series switches SWITCH_3.0(1)B11P218, RG-EG series business VPN routers EG_3.0(1)B11P216, EAP and RAP series wireless access points AP_3.0(1)B11P218, NBC series wireless controllers AC_3.0(1)B11P86 allows remote attackers to gain escalated privileges via crafted POST request to /cgi-bin/luci/api/auth.

A command injection vulnerability exists in the EWEB management system of Ruijie Networks ReyeeOS. An unauthenticated attacker could gain supreme control of devices through this vulnerability. The affected products in Ruijie Networks including RG-EW series home routers and repeaters prior to EW_3.0(1)B11P219, RG-NBS and RG-S1930 series switches prior to SWITCH_3.0(1)B11P219, RG-EG series business VPN routers prior to EG_3.0(1)B11P219, EAP and RAP series wireless access points prior to AP_3.0(1)B11P219, and NBC series wireless controllers prior to AC_3.0(1)B11P219.