These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A critical vulnerability in Ruijie Reyee OS versions 2.206.x through 2.319.x allows remote unauthenticated attackers to execute arbitrary operating system commands by sending malicious MQTT messages. The vulnerability stems from use of an inherently dangerous function in the device's MQTT message handling. This represents a severe risk to affected network infrastructure devices, as successful exploitation [truncated]
A session invalidation vulnerability in Ruijie Reyee OS versions 2.206.x through 2.319.x allows authenticated attackers with high privileges to terminate legitimate user sessions, causing denial-of-service conditions on affected accounts. The vulnerability stems from a product feature that lacks proper session management controls. CISA published this advisory on December 3, 2024, with an update on Decembe [truncated]
CVE-2024-48874 is a HIGH severity vulnerability (CVSS 7.5) affecting Ruijie Reyee OS versions 2.206.x through 2.319.x. The vulnerability enables attackers to coerce Ruijie's proxy servers into executing arbitrary requests, potentially exposing internal services and AWS cloud metadata services. CISA published this advisory on December 3, 2024, with an update on December 10, 2024 revising CVSS scores. Ruiji [truncated]
CVE-2024-47791 is a medium-severity information disclosure vulnerability affecting Ruijie Reyee OS versions 2.206.x through 2.319.x. The flaw resides in the Ruijie MQTT broker implementation, where improper access controls allow an unauthenticated attacker to subscribe to partial MQTT topics and intercept messages transmitted between devices. Published by CISA on December 3, 2024, and subsequently updated [truncated]
CVE-2024-47547 is a HIGH severity vulnerability (CVSS 8.2) in Ruijie Reyee OS affecting versions 2.206.x through 2.319.x. The weakness stems from an inadequate password change mechanism that enables brute force attacks against authentication. Published by CISA on December 3, 2024, and updated on December 10, 2024, this advisory carries high confidence attribution based on CSAF product tree analysis. Notab [truncated]
A low-severity information disclosure vulnerability in Ruijie Reyee OS allows physically adjacent attackers to obtain device serial numbers by sniffing raw Wi-Fi signals. The vendor has deployed cloud-based fixes requiring no end-user action.
A medium-severity information disclosure vulnerability in Ruijie Reyee OS versions 2.206.x through 2.319.x could allow an attacker to correlate device serial numbers with owner phone numbers and partial email addresses. The vendor has implemented cloud-based fixes requiring no end-user action.
A vulnerability in Ruijie Reyee OS versions 2.206.x through 2.319.x allows authenticated attackers with device credentials to send MQTT messages to restricted topics, enabling command injection to other devices via Ruijie's cloud infrastructure. The issue stems from improper authorization controls on MQTT topic subscriptions, where clients authenticating with legitimate device credentials could publish to [truncated]
Ruijie Reyee OS versions 2.206.x through 2.319.x contain a weak credential mechanism that allows attackers to calculate MQTT credentials. The vulnerability was disclosed by CISA on December 3, 2024, with an update on December 10, 2024 revising CVSS scores. Ruijie reports the issue has been fixed on the cloud side with no end-user action required. The vulnerability carries a MEDIUM severity rating with a C [truncated]
Ruijie Reyee OS versions 2.206.x through 2.319.x contain a feature that could allow sub-accounts or attackers to view and exfiltrate sensitive information from all cloud accounts registered to Ruijie's services. The vulnerability was assigned a CVSS 3.1 score of 4.9 (MEDIUM severity). CISA published this advisory on December 3, 2024, with an update on December 10, 2024, that revised CVSS scores. Ruijie re [truncated]