Overview
CVE-2023-7330 describes a critical unauthenticated arbitrary file upload vulnerability affecting Ruijie NBR series routers. Discovered in 2025 and actively exploited since, this flaw allows a remote attacker to upload malicious PHP files to the router without authentication, leading to arbitrary code execution on the device. The vulnerable endpoint is `/ddi/server/fileupload.php`.
Technical Details
The vulnerability resides within the `/ddi/server/fileupload.php` endpoint. This endpoint is designed to handle file uploads, but it lacks proper validation and sanitization of user-supplied input. Specifically, the `name` and `uploadDir` parameters can be manipulated by an attacker. The endpoint fails to adequately check the file type, path, or extension of the uploaded file. This allows an attacker to upload a PHP file to a directory accessible from the web root. Once uploaded, the attacker can then access the malicious PHP file via a web browser, causing it to be executed by the web service running on the router.
CVSS Analysis
Due to missing information, a CVSS score is not currently available. However, given the potential for unauthenticated remote code execution, this vulnerability would likely be classified as Critical if assigned a CVSS score. The lack of authentication required for exploitation significantly increases the severity and ease of exploitation.
Possible Impact
Successful exploitation of CVE-2023-7330 can have severe consequences, including:
- Remote Code Execution (RCE): Attackers can execute arbitrary code on the router, potentially gaining complete control over the device.
- Data Theft: Attackers can access sensitive data stored on the router or network.
- Denial of Service (DoS): Attackers can disrupt the normal operation of the router, causing a denial of service for legitimate users.
- Network Compromise: A compromised router can be used as a foothold to gain access to other devices on the network.
- Botnet Recruitment: The compromised router can be added to a botnet and used for malicious activities.
Mitigation or Patch Steps
Currently, the primary mitigation steps are:
- Contact Ruijie Networks: Immediately contact Ruijie Networks to inquire about a patch or firmware update addressing this vulnerability. This is the most important step.
- Network Segmentation: Isolate the Ruijie NBR router on a separate network segment to limit the potential impact of a successful attack.
- Access Control Lists (ACLs): Implement strict ACLs on the router to restrict access to the web management interface from untrusted networks.
- Web Application Firewall (WAF): Consider using a WAF to filter malicious traffic and block attempts to exploit the file upload vulnerability. While it may not fully mitigate the risk, it can add a layer of protection.
- Monitor Network Traffic: Closely monitor network traffic for suspicious activity, such as unexpected connections to the router’s web management interface or attempts to upload unusual files.
- Disable Unnecessary Services: Disable any unnecessary services running on the router to reduce the attack surface.
Crucially, apply the official patch from Ruijie as soon as it becomes available. This is the only permanent fix for the vulnerability.
