Executive Summary:
A high-severity vulnerability has been identified in the SSH server functionality of multiple Ruijie Networks RG-EST300 devices. This flaw could allow a remote, unauthenticated attacker to bypass security controls and gain unauthorized access to affected systems, potentially leading to a compromise of the network device and the broader internal network.

Vulnerability Details

CVE-ID: CVE-2025-58778

Affected Software: Ruijie Networks RG-EST300

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: The vulnerability exists within the SSH server implementation on the affected Ruijie Networks devices. A flaw in the processing of authentication packets allows a remote, unauthenticated attacker to bypass the authentication mechanism. By sending a specially crafted sequence of SSH packets to a vulnerable device, an attacker can exploit this flaw to gain privileged shell access without providing valid credentials.

Business Impact

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could grant an attacker administrative control over the affected network infrastructure device. This could lead to a complete compromise of the device, allowing the attacker to monitor sensitive network traffic, alter network configurations to redirect data, launch further attacks against the internal network (pivoting), or cause a denial-of-service condition. The potential business impact includes data breaches, significant network downtime, and loss of trust in the organization's security posture.

Remediation Plan

Immediate Action: Apply vendor security updates immediately. After patching, it is critical to monitor for any signs of exploitation attempts and review historical SSH access logs for indicators of compromise that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor for unusual SSH connection attempts (default TCP port 22) targeting affected devices, especially from untrusted or external IP addresses. Scrutinize SSH logs for anomalous successful logins that do not correlate with legitimate administrative activity. Implement alerts for any unauthorized configuration changes or unexpected system reboots on these devices.

Compensating Controls: If immediate patching is not feasible, restrict SSH access to the devices' management interfaces using strict firewall rules or access control lists (ACLs), permitting connections only from a dedicated and trusted management network. If SSH is not essential for the device's operation, consider disabling the service entirely as a temporary mitigation measure.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of October 17, 2025, there is no known public proof-of-concept exploit code for this vulnerability. However, given the nature of the flaw (authentication bypass on network equipment), it is highly likely that security researchers and threat actors will develop exploit code by reverse-engineering the vendor patch.

Analyst Recommendation

Due to the High severity (CVSS 7.2) of this vulnerability, which allows for remote authentication bypass, immediate action is required. We strongly recommend that all organizations using the affected Ruijie Networks RG-EST300 devices apply the vendor-supplied security patches on an emergency basis. Although this CVE is not currently on the CISA KEV list, the risk of future exploitation is significant. Prioritize patching for all internet-facing devices immediately, followed by internal devices, and implement the recommended compensating controls and monitoring where patching is delayed.

Executive Summary:
A critical authentication bypass vulnerability has been identified in certain Ruijie network switches. This flaw allows a remote, unauthenticated attacker to gain complete administrative control over affected devices, posing a severe risk of network disruption, configuration changes, and data interception.

Vulnerability Details

CVE-ID: CVE-2025-56752

Affected Software: Ruijie Multiple Products

Affected Versions: The vulnerability is confirmed in RG-ES series switch firmware ESW_1.0(1)B1P39. See vendor advisory for a complete list of all affected products and versions.

Vulnerability: This is a remote authentication bypass vulnerability. An unauthenticated attacker can exploit a flaw in the device's authentication mechanism, likely via a specially crafted network request to the management interface, to gain full administrative privileges without providing valid credentials. Successful exploitation grants the attacker the same level of access as a legitimate administrator, allowing them to view and modify the device's entire configuration, monitor network traffic, and disable security features.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.4. Exploitation could have a significant business impact, leading to a complete compromise of the network segment managed by the affected switch. An attacker with administrative control could re-route, intercept, or drop network traffic, causing widespread service outages (Denial of Service). Furthermore, the attacker could capture sensitive data, alter network configurations to enable further attacks (lateral movement), or install persistent backdoors, severely impacting data confidentiality, integrity, and availability.

Remediation Plan

Immediate Action: The primary remediation is to apply the vendor-supplied security patches immediately. Organizations should update the firmware on all affected Ruijie products to the latest version as recommended by the vendor. After patching, administrators should review access logs for any signs of unauthorized access or configuration changes that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of all affected network devices. Security teams should configure alerts and review logs for any unusual administrative login attempts, particularly from untrusted or internal IP addresses that do not belong to network administrators. Monitor for unexpected configuration changes, the creation of new user accounts, or abnormal traffic patterns originating from the switch's management interface.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk of exploitation. Restrict network access to the switch's management interface using strict Access Control Lists (ACLs) or firewall rules, ensuring it is only accessible from a dedicated and secured management VLAN or specific trusted IP addresses. Disable management access from the public internet or any untrusted network segments.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Sep 3, 2025, there are no known public proof-of-concept exploits or reports of this vulnerability being actively exploited in the wild. However, due to the critical nature of authentication bypass vulnerabilities in network infrastructure devices, it is highly probable that threat actors will develop exploits by reverse-engineering the patch.

Analyst Recommendation

Given the critical CVSS score of 9.4 and the potential for complete network compromise, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize the deployment of the vendor-provided firmware updates to all affected Ruijie devices. While this CVE is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its severity makes it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls outlined above must be implemented as a matter of urgency to limit the attack surface.