CVE-2025-10774 is a security vulnerability identified in the Ruijie 6000-E10 network device, specifically affecting firmware version 2.4.3.6-20171117. The vulnerability exists in the web interface component located at /view/vpn/autovpn/sub_commit.php. It arises from improper validation and sanitization of the 'key' argument, which allows an attacker to perform OS command injection. This means that an attacker can remotely execute arbitrary operating system commands on the affected device by manipulating the input parameter. The vulnerability does not require user interaction and can be exploited remotely without authentication, although the CVSS vector indicates a requirement for high privileges (PR:H), suggesting that some level of authenticated access or elevated privileges might be necessary to exploit it. The CVSS 4.0 base score is 5.1, categorizing it as a medium severity issue. The vendor, Ruijie, was contacted early but did not respond or provide a patch, and no official patch links are available. Although the exploit code has been publicly released, there are no confirmed reports of active exploitation in the wild. The vulnerability impacts the confidentiality, integrity, and availability of the device, as arbitrary command execution can lead to data leakage, device compromise, or denial of service. The Ruijie 6000-E10 is typically deployed in enterprise and service provider environments for VPN and network access purposes, making this vulnerability significant for organizations relying on this hardware for secure communications.

For European organizations, the impact of this vulnerability can be substantial. Ruijie network devices are used in various sectors including telecommunications, enterprise networks, and critical infrastructure. Successful exploitation could allow attackers to gain control over VPN gateways, potentially intercepting or manipulating sensitive data, disrupting secure communications, or pivoting to internal networks. This could lead to data breaches, service outages, and compromise of confidential information. Given the lack of vendor response and patches, organizations face prolonged exposure. The medium severity rating underestimates the potential operational impact if exploited in sensitive environments. European entities with strict data protection regulations such as GDPR could face compliance risks and reputational damage if this vulnerability leads to data loss or unauthorized access. Additionally, the ability to execute OS commands remotely could facilitate lateral movement within networks, increasing the risk of broader compromise.

Since no official patch is available, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the management interface of Ruijie 6000-E10 devices to trusted IP addresses and networks using firewall rules or VPN segmentation. 2) Enforcing strong authentication and monitoring for unusual administrative activities to detect potential exploitation attempts. 3) Employing network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect command injection patterns targeting the vulnerable endpoint. 4) Regularly auditing device configurations and logs for signs of compromise. 5) Considering temporary replacement or isolation of vulnerable devices in critical environments until a vendor patch is released. 6) Engaging with Ruijie support channels persistently to obtain updates or patches. 7) Applying network segmentation to limit the impact of a compromised device. 8) Educating network administrators about this vulnerability and ensuring incident response plans include scenarios involving network device compromise.