CVE-2024-47043 Ruijie CVE debrief

Who should care

Organizations operating Ruijie Reyee OS devices in enterprise, industrial, or managed service provider environments; security teams responsible for IoT/OT asset inventory and privacy compliance; network administrators managing device lifecycle and registration data.

Technical summary

The vulnerability exists in Ruijie Reyee OS versions 2.206.x through 2.319.x where device serial numbers could be correlated with owner contact information including phone numbers and partial email addresses. This information disclosure weakness (CWE-200) requires low attack complexity and authenticated network access. The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N indicates network attack vector with low confidentiality impact. Ruijie has deployed cloud-side fixes eliminating the need for firmware updates on affected devices.

Defensive priority

medium

Recommended defensive actions

• Verify Reyee OS device firmware version through administrative interface; versions 2.206.x through 2.319.x were affected
• Confirm cloud-based mitigation has been applied by checking vendor security notifications or device management portal
• Review device registration records for exposure of serial numbers, phone numbers, or email addresses in external systems
• Apply network segmentation for IoT/OT devices to limit lateral movement in case of credential correlation
• Monitor for suspicious authentication attempts or account enumeration targeting associated user accounts
• Follow CISA ICS recommended practices for industrial control systems security posture

Evidence notes

CISA ICS advisory ICSA-24-338-01 (Update A) published 2024-12-03 and modified 2024-12-10 confirms the vulnerability scope and remediation status. CVSS 3.1 score 4.3 (Medium) assigned per advisory revision history.

Official resources