CVE-2023-7330 CRITICAL

CVE-2023-7330: Ruijie Networks NBR Routers Unauthenticated Arbitrary File Upload via fileupload.php

Vendor Beijing Star-Net Ruijie Network Technology Co., Ltd.
Product NBR Series Routers
Weakness CWE-434 · Unrestricted file upload
Published November 24, 2025
Last update November 25, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Ruijie NBR series routers contain an unauthenticated arbitrary file upload vulnerability via /ddi/server/fileupload.php. The endpoint accepts attacker-supplied values in the name and uploadDir parameters and saves the provided multipart file content without adequate validation or sanitization of file type, path, or extension. A remote attacker can upload a crafted PHP file and then access it from the web root, resulting in arbitrary code execution in the context of the web service. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-14 UTC.

Key dates

02Disclosure timeline

November 24, 2025 CVE published
November 25, 2025 Record updated