Major Vulnerabilities Discovered in Ruijie Networks Cloud Management Platform: A Call for Enhanced Cybersecurity Measures
Major Security Flaws Discovered in Ruijie Networks’ Cloud Management Platform
December 25, 2024 — Ravie Lakshmanan
Cybersecurity experts from Claroty have uncovered a series of alarming vulnerabilities within the cloud management platform of Ruijie Networks, potentially exposing thousands of users to critical cyber threats. The vulnerabilities specifically impact both the Reyee platform and Reyee OS network devices, allowing an attacker to exert control over tens of thousands of cloud-enabled devices.
In their recent security analysis, researchers Noam Moshe and Tomer Goldschmidt identified 10 distinct vulnerabilities, three of which have been categorized as critical. The most concerning flaws include a weak password recovery mechanism (CVE-2024-47547) and a Server-Side Request Forgery (SSRF) vulnerability (CVE-2024-48874), both of which have CVSS scores nearing the maximum of 10. Exploitation of these issues could lead malicious actors to execute arbitrary code on cloud-connected devices, with devastating consequences.
Additionally, the researchers described an innovative attack method dubbed "Open Sesame," allowing attackers to potentially gain unauthorized access by physically proximity hacking an access point. This technique exploits a device’s serial number to facilitate a range of attacks— including Denial-of-Service and unauthorized commands sent to devices.
Crucially, Ruijie Networks has taken prompt action to address these vulnerabilities, announcing that all identified flaws have been patched with no user intervention required. Approximately 50,000 devices connected to the cloud may have been vulnerable prior to the updates.
This discovery highlights ongoing vulnerabilities in Internet-of-Things (IoT) devices, particularly those with minimal security measures yet capable of inciting significant network attacks. In related news, PCAutomotive reported vulnerabilities in the MIB3 infotainment system in certain Skoda vehicles, further underscoring the urgent need for rigorous security evaluations across connected devices in our increasingly digital world.
