CVE-2024-45722 Ruijie CVE debrief

Who should care

Organizations operating Ruijie Reyee OS devices in versions 2.206.x through 2.319.x, particularly those using MQTT for device management or telemetry. Security teams managing IoT/OT networks and industrial control systems should assess exposure and verify cloud-side remediation status.

Technical summary

The vulnerability exists in Ruijie Reyee OS versions 2.206.x through 2.319.x where MQTT credentials can be calculated by attackers due to a weak credential generation mechanism. This is a confidentiality-only vulnerability with high attack complexity. The attack requires network access but no authentication. Ruijie has implemented a cloud-side fix, meaning affected devices connecting to Ruijie cloud services should receive remediation automatically without requiring manual firmware updates.

Defensive priority

medium

Recommended defensive actions

• Verify device firmware version against affected range 2.206.x to 2.319.x
• Confirm cloud-side fix has been applied to managed devices
• Monitor MQTT traffic for unauthorized credential usage
• Apply network segmentation for IoT/OT devices per CISA ICS recommended practices
• Review CISA guidance on industrial control system defense in depth

Evidence notes

The source advisory confirms affected versions as 2.206.x up to but not including 2.320.x. Ruijie states cloud-side remediation has been applied. CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. CVSS 4.0 vector also provided in source.

Official resources