How is CVE-2026-12197 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the device's HTTP/JSON-RPC interface remotely. Authentication (required): An admin-level account is needed to reach the diagnose endpoint; low-privilege credentials are not sufficient. Victim interaction (not-required): No user interaction is needed; the attacker sends a crafted request directly to the endpoint without any victim action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental setup beyond network access and admin credentials.

What is the impact of CVE-2026-12197?

Reads files, credentials, and configuration data stored on the device's filesystem. Modifies device configuration, routing rules, or stored credentials. Crashes or restarts the affected device, disrupting network connectivity for downstream clients. Establishes a persistent foothold on the router for use as a pivot point into the adjacent network.

Back to search

HIGHCVE-2026-12197Published 2026-06-14Modified 2026-06-14CNA VulDB

CVE-2026-12197: Ruijie EG105G-P JSON-RPC Diagnose Endpoint diagnose nslookup command injection

A security flaw has been discovered in Ruijie EG105G-P 2.340. The impacted element is the function nslookup of the file /cgi-bin/luci/api/diagnose of the component JSON-RPC Diagnose Endpoint. Performing a manipulation of the argument params.target results in command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a command injection vulnerability in the Ruijie EG105G-P router (firmware version 2.340), specifically in the nslookup function of the JSON-RPC Diagnose Endpoint at /cgi-bin/luci/api/diagnose. The endpoint is reachable over the network, but an attacker must supply a manipulated params.target argument while authenticated as an administrator. Successful exploitation gives the attacker arbitrary OS command execution on the device. No vendor patch has been published; HarborGuard is tracking the advisory for fix availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-12197 is available across every HarborGuard environment. The CVE is ingested from upstream feeds (including VulDB) within minutes of publication and matched against customer images and firmware-derived container layers in connected registries and CI pipelines, including custom-built images.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.6 (HIGH) and weighting it against each customer environment's compliance policy to determine escalation priority. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization based on asset ownership rules.

Available

Patch

Because no fix version has been published by Ruijie, HarborGuard re-checks the upstream advisory each ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will trigger automatically once an upstream fix becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the device's HTTP/JSON-RPC interface remotely.
AuthenticationRequired
An admin-level account is needed to reach the diagnose endpoint; low-privilege credentials are not sufficient.
Victim interactionNot required
No user interaction is needed; the attacker sends a crafted request directly to the endpoint without any victim action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental setup beyond network access and admin credentials.

Blast Radius

Reads files, credentials, and configuration data stored on the device's filesystem.
Modifies device configuration, routing rules, or stored credentials.
Crashes or restarts the affected device, disrupting network connectivity for downstream clients.
Establishes a persistent foothold on the router for use as a pivot point into the adjacent network.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12197 is active against all images in connected customer registries and pipelines, scored at CVSS 8.6 HIGH. Because Ruijie has not published a fix and did not respond to the coordinated disclosure, no patched rebuild is currently available. HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-tested PR against affected workloads the moment an upstream fix is released. In the interim, compensating controls worth considering include network-policy isolation to restrict access to the device's management interface to trusted admin hosts only, egress filtering to limit lateral movement from a compromised device, and disabling or firewalling the JSON-RPC Diagnose Endpoint if diagnostic functionality is not operationally required. A public proof-of-concept exploit exists for this vulnerability, which raises the practical risk level for any internet-exposed or internally accessible EG105G-P device running firmware 2.340.

See how HarborGuard automates this

Affected packages

Ruijie / EG105G-P
2.340

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified