Discover how vulnerability researchers executed a remote code execution attack on Ruijie access points in this 38-minute Black Hat conference talk. Learn about an attack chain that begins simply by sniffing WIFI beacons and escalates to full device control and network infiltration. Follow the researchers' journey as they extract Ruijie's firmware, analyze cloud-communication binaries, and uncover critical vulnerabilities—including one that allowed generating MQTT passwords for all Ruijie devices. See how they impersonated Ruijie cloud services to exploit an "execute-command-as-a-service" feature, gaining complete control over tens of thousands of devices. Gain insights into research techniques and common IoT cloud security pitfalls that can lead to fleet-wide device exploitation.