Ruijie Reyee OS (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-24-338-01Dec 3, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities exist in Ruijie Reyee OS versions 2.206.x through 2.319.x that could allow attackers to gain near-complete control over affected devices without authentication. The vulnerabilities involve improper input validation, insecure information exposure, and other weaknesses (CWE-640, CWE-359, CWE-826, CWE-922, CWE-1391, CWE-155, CWE-280, CWE-918, CWE-242, CWE-402). Ruijie has reportedly addressed the issues on their cloud services but has not released device firmware patches, stating no action is needed by end users for cloud-hosted instances.

What this means

What could happen

An attacker could gain near-complete control of Ruijie Reyee OS devices through multiple critical vulnerabilities, potentially allowing them to modify network configurations, access sensitive data, or disrupt network services.

Who's at risk

This affects organizations running Ruijie Reyee OS on network switches and edge devices, particularly those used in enterprise networks, ISP environments, and any facility requiring managed network infrastructure. Any organization with internet-facing or accessible Reyee OS devices is at risk.

How it could be exploited

An attacker with network access to an affected Reyee OS device (versions 2.206.x through 2.319.x) could exploit one or more of the identified vulnerabilities without needing credentials or user interaction to achieve remote code execution and full device compromise.

Prerequisites

Network access to the Reyee OS device
Device running vulnerable Reyee OS version 2.206.x through 2.319.x
Device accessible from attacker's network location

remotely exploitableno authentication requiredlow complexitycritical CVSS score 9.8no patch availablecloud-only mitigation by vendor

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Reyee OS: >=2.206.x|<2.320.x≥ 2.206.x|<2.320.xNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGMinimize network exposure of Reyee OS devices by ensuring they are not accessible from the internet or untrusted networks

HARDENINGIsolate Reyee OS devices behind firewalls, segregating them from business networks and restricting access to only necessary administrative connections

HARDENINGIf remote access to Reyee OS devices is required, implement VPN access with current security patches and restrict administrative access to VPN-only connections

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGSegment your network to place Reyee OS devices on a dedicated management network separate from general business and OT operations

CVEs (10)

CVE-2024-47547 CVE-2024-42494 CVE-2024-51727 CVE-2024-47043 CVE-2024-45722 CVE-2024-47791 CVE-2024-46874 CVE-2024-48874 CVE-2024-52324 CVE-2024-47146

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9de3d962-07f0-4e59-af80-a5e1c7e00d41

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.