CVE-2025-11141 is a security vulnerability identified in the Ruijie NBR2100G-E network device, specifically affecting firmware versions up to 20250919. The flaw resides in the listAction function within the /itbox_pi/branch_passw.php?a=list endpoint. The vulnerability allows an attacker to perform OS command injection by manipulating the 'city' argument, and potentially other parameters, which are not fully enumerated. This injection flaw enables remote attackers to execute arbitrary operating system commands on the affected device without requiring user interaction or authentication, as indicated by the CVSS vector. The vendor Ruijie was notified early but has not responded or provided a patch, and a public exploit has been released, increasing the risk of exploitation. The CVSS 4.0 base score is 5.1, categorized as medium severity, reflecting the moderate impact on confidentiality, integrity, and availability, with a requirement for high privileges (PR:H) but no user interaction (UI:N). The vulnerability does not affect the scope beyond the vulnerable device itself and has limited impact on confidentiality, integrity, and availability (all low). However, the ability to execute OS commands remotely can lead to unauthorized control, data leakage, or disruption of network services if exploited. The lack of vendor response and public exploit availability heightens the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk particularly to those using Ruijie NBR2100G-E devices in their network infrastructure. Successful exploitation could allow attackers to gain unauthorized control over network devices, potentially leading to network disruption, interception or alteration of network traffic, and lateral movement within corporate networks. This could compromise sensitive data and critical services, especially in sectors relying heavily on network availability and integrity such as finance, telecommunications, and government. The medium severity rating suggests that while the impact is not catastrophic, it is sufficient to warrant immediate attention due to the remote exploitability and public availability of exploit code. The lack of vendor patches means organizations must rely on alternative mitigations to protect their infrastructure. Given the strategic importance of network devices as gateways and control points, exploitation could facilitate broader attacks or espionage campaigns targeting European entities.

Since no official patch is available from Ruijie, European organizations should implement the following specific mitigations: 1) Immediately isolate affected Ruijie NBR2100G-E devices from untrusted networks or restrict management interfaces to trusted IP addresses only, using firewall rules or access control lists (ACLs). 2) Monitor network traffic for unusual or suspicious requests targeting the /itbox_pi/branch_passw.php?a=list endpoint, especially those containing suspicious 'city' parameter values or other unexpected inputs. 3) Employ intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect and block command injection attempts against this endpoint. 4) Conduct thorough audits of device configurations and logs to identify any signs of compromise or unauthorized command execution. 5) Where possible, replace or upgrade affected devices with alternative hardware or firmware versions not vulnerable to this issue. 6) Implement network segmentation to limit the impact of a compromised device and reduce lateral movement opportunities. 7) Engage with Ruijie support channels persistently to obtain updates or patches and subscribe to vulnerability advisories for timely information. These steps go beyond generic advice by focusing on network-level controls, active monitoring, and device management practices tailored to this specific vulnerability.