PatchSiren cyber security CVE debrief
CVE-2024-46874 Ruijie CVE debrief
A vulnerability in Ruijie Reyee OS versions 2.206.x through 2.319.x allows authenticated attackers with device credentials to send MQTT messages to restricted topics, enabling command injection to other devices via Ruijie's cloud infrastructure. The issue stems from improper authorization controls on MQTT topic subscriptions, where clients authenticating with legitimate device credentials could publish to topics intended for cloud-to-device communication. This creates a confused deputy scenario where an attacker can impersonate the cloud platform to control other devices in the same tenant environment. The vulnerability was disclosed by CISA on December 3, 2024, with CVSS v3.1 scoring of 7.5 (HIGH) and CVSS v4.0 metrics also available. Ruijie has implemented cloud-side fixes that do not require end-user action.
- Vendor
- Ruijie
- Product
- Reyee OS
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-03
- Original CVE updated
- 2024-12-10
- Advisory published
- 2024-12-03
- Advisory updated
- 2024-12-10
Who should care
Organizations deploying Ruijie Reyee OS-based network infrastructure including wireless access points, switches, and routers; managed service providers operating multi-tenant Ruijie cloud environments; security teams monitoring IoT/OT device communications; and infrastructure operators relying on cloud-managed network equipment where device-to-device command integrity is critical for operational safety.
Technical summary
The vulnerability exists in Ruijie Reyee OS versions 2.206.x through 2.319.x where MQTT clients authenticating with valid device credentials could publish messages to topics normally restricted to Ruijie's cloud platform. The MQTT broker failed to properly enforce topic-level authorization boundaries between authenticated devices, allowing a device with compromised or attacker-controlled credentials to send commands that the broker would forward to other devices as if originating from the legitimate cloud service. This represents an insecure direct object reference (IDOR) pattern in the MQTT topic namespace combined with missing authorization checks on publish operations. The attack requires network access to the MQTT broker (which may be internet-facing for cloud-managed devices) and valid device credentials, but does not require user interaction or elevated privileges beyond standard device authentication. The CVSS v3.1 attack complexity is rated HIGH due to the credential requirement, though the impact achieves complete confidentiality, integrity, and availability compromise of targeted devices.
Defensive priority
HIGH
Recommended defensive actions
- Verify Ruijie Reyee OS device firmware versions are within supported ranges (2.320.x or later) if managing on-premises deployments
- Monitor MQTT broker logs for anomalous topic publishing patterns from device credentials
- Review device-to-cloud communication policies for least-privilege MQTT topic subscriptions
- Audit cloud tenant configurations for unauthorized device associations
- Apply network segmentation between IoT device VLANs and critical infrastructure
- Implement certificate pinning for MQTT TLS connections where feasible
- Subscribe to CISA ICS advisories for follow-up notifications on this vulnerability
Evidence notes
CISA advisory ICSA-24-338-01 (Update A) published 2024-12-03, modified 2024-12-10 to update CVSS scores. Vendor remediation confirmed as cloud-side fix with no end-user action required. CVSS v3.1 vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. CVSS v4.0 vector also provided in source.
Official resources
-
CVE-2024-46874 CVE record
CVE.org
-
CVE-2024-46874 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-03