CVE-2025-56077 is an OS command injection vulnerability identified in the Ruijie RG-RAP2200(E) 247 2200 series network devices. The flaw exists in the module_set function within the Lua script located at /usr/local/lua/dev_sta/nbr_cwmp.lua. An attacker can exploit this vulnerability by crafting a malicious POST request that injects arbitrary OS commands, which the device executes with the privileges of the affected service. This type of vulnerability typically arises from insufficient input validation or improper sanitization of user-supplied data before passing it to system-level command execution functions. Successful exploitation could allow attackers to execute arbitrary commands on the device, potentially leading to full system compromise, unauthorized configuration changes, data exfiltration, or disruption of network services. The vulnerability was reserved in August 2025 and published in December 2025, but no CVSS score or patches have been released yet, and no active exploits are known. The lack of authentication or user interaction requirements is not explicitly stated, but given the nature of the POST request to a device management module, it is likely that network access to the device's management interface is necessary. This vulnerability poses a significant risk to organizations relying on Ruijie RG-RAP2200 devices, especially in environments where these devices are exposed to untrusted networks or insufficiently segmented internal networks.

For European organizations, the impact of CVE-2025-56077 could be severe. Ruijie devices are used in various enterprise and service provider networks, and a successful attack could lead to unauthorized control over network access points, disruption of network connectivity, and potential lateral movement within corporate networks. Confidential information could be exposed or manipulated, and network availability could be compromised, affecting business operations. Critical infrastructure sectors such as telecommunications, finance, and government agencies that deploy Ruijie devices may face increased risks of espionage, sabotage, or service outages. The ability to execute arbitrary commands on network devices can also facilitate the deployment of persistent malware or backdoors, complicating incident response and recovery efforts. The absence of known exploits currently provides a window for proactive mitigation, but the publication of this vulnerability signals that attackers may develop exploits soon, increasing urgency for European entities to act swiftly.

1. Immediately restrict network access to the management interfaces of Ruijie RG-RAP2200 devices, ensuring they are not exposed to untrusted or public networks. 2. Implement strict firewall rules and network segmentation to limit access to the vulnerable POST endpoint. 3. Monitor network traffic for unusual POST requests targeting /usr/local/lua/dev_sta/nbr_cwmp.lua or similar paths indicative of exploitation attempts. 4. Deploy intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect command injection patterns specific to this vulnerability. 5. Coordinate with Ruijie for official patches or firmware updates and apply them promptly once available. 6. Conduct internal audits to identify all Ruijie RG-RAP2200 devices in the network and assess exposure. 7. Employ multi-factor authentication and strong access controls on device management interfaces to reduce the risk of unauthorized exploitation. 8. Prepare incident response plans tailored to potential device compromise scenarios. 9. Educate network administrators about this vulnerability and encourage vigilance for suspicious activity. 10. Consider temporary device replacement or alternative solutions if patching is delayed.