CVE-2025-56077 is an OS Command Injection vulnerability identified in the Ruijie RG-RAP2200(E) 247 2200 series network devices. The flaw exists in the module_set function implemented in the Lua script located at /usr/local/lua/dev_sta/nbr_cwmp.lua. An attacker with low privileges can craft a malicious POST request targeting this module, injecting arbitrary operating system commands that the device executes with the privileges of the affected process. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that user-supplied input is not properly sanitized before being passed to system-level command execution functions. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. The vulnerability scope is unchanged, meaning the impact is confined to the vulnerable component but can lead to full device compromise. Although no public exploits have been reported, the severity and ease of exploitation make this a critical concern for affected users. The absence of published patches necessitates immediate defensive measures to prevent exploitation. Given the device's role in network access and management, exploitation could allow attackers to disrupt network operations, exfiltrate sensitive data, or pivot deeper into organizational networks.

For European organizations, exploitation of CVE-2025-56077 could lead to severe operational disruptions, data breaches, and loss of control over critical network infrastructure. The Ruijie RG-RAP2200(E) 247 2200 devices are typically deployed in enterprise and service provider environments for wireless access and network management. A successful attack could enable adversaries to execute arbitrary commands, potentially installing malware, intercepting or manipulating network traffic, or causing denial of service. This threatens the confidentiality of sensitive communications, the integrity of network configurations, and the availability of network services. Organizations in sectors such as telecommunications, finance, government, and critical infrastructure that rely on these devices are particularly vulnerable. The ability to exploit remotely without user interaction increases the risk of widespread automated attacks. The lack of patches further exacerbates the threat, requiring organizations to implement compensating controls to mitigate risk until a fix is available.

1. Immediately restrict network access to the management interfaces of Ruijie RG-RAP2200(E) 247 2200 devices, limiting exposure to trusted administrators only via VPN or secure management networks. 2. Implement strict firewall rules to block unauthorized POST requests targeting the vulnerable module_set endpoint. 3. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect and block suspicious command injection attempts in HTTP POST traffic. 4. Conduct thorough logging and monitoring of device management traffic to identify anomalous requests or command executions. 5. Enforce strong authentication and role-based access controls to minimize the privileges of users interacting with the device. 6. Engage with Ruijie Networks for timely updates and patches; apply security updates immediately upon release. 7. Consider network segmentation to isolate vulnerable devices from critical assets. 8. Perform regular vulnerability scans and penetration tests focusing on network devices to detect exploitation attempts. 9. Educate network administrators about the vulnerability and signs of compromise to enhance incident response readiness.