JVN#86850670
Ruijie Networks AP180 series vulnerable to OS command injection
Overview
AP180 series provided by Ruijie Networks Co., Ltd. contains an OS command injection vulnerability.
Products Affected
Firmware versions prior to AP_RGOS 11.9(4)B1P8 of the below models.
- AP180(JA) V1.xx
- AP180(JP) V1.xx
- AP180-AC V1.xx
- AP180-PE V1.xx
- AP180(JA) V2.xx
- AP180-AC V2.xx
- AP180-PE V2.xx
- AP180-AC V3.xx
- AP180-PE V3.xx
Description
AP180 series provided by Ruijie Networks Co., Ltd. contains the following vulnerability.
- OS command injection (CWE-78)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.6
- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score 7.2
- CVE-2026-23699
Impact
If a logged-in user with an administrative privilege sends a specially crafted request to the affected product, an arbitrary OS command could be executed.
Solution
Update the Firmware
Apply the appropriate update according to the information provided by the developer.
Apply the workaround
The developer recommends the below if the update cannot be applied.
- Restrict web access to trusted source IP addresses using ACL/whitelist configuration.
Vendor Status
| Vendor | Link |
| Ruijie Networks Co., Ltd. | Download |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Thanh Do of BabyPhD reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2026-23699 |
| JVN iPedia |
JVNDB-2026-000008 |