CVE-2025-56084 is an OS Command Injection vulnerability identified in the Ruijie RG-EW1800GX PRO router firmware version B11P226_EW1800GX-PRO_10223117. The flaw resides in the handling of POST requests to the module_set function within the Lua script located at /usr/local/lua/dev_sta/nbr_cwmp.lua. Specifically, the vulnerability arises because user-supplied input is not properly sanitized before being passed to system command execution functions, classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). An attacker with low privileges (PR:L) can remotely send a crafted POST request to this endpoint, resulting in arbitrary command execution on the underlying operating system. The attack vector is network-based (AV:N), requires no user interaction (UI:N), and the scope is unchanged (S:U), meaning the impact is confined to the vulnerable component. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a critical risk for affected devices. The lack of available patches at the time of publication increases the urgency for mitigation. This vulnerability could allow attackers to take full control of the device, manipulate network traffic, exfiltrate sensitive data, or disrupt network services.

For European organizations, exploitation of CVE-2025-56084 could lead to severe operational disruptions and data breaches. Compromised routers can serve as entry points for lateral movement within corporate networks, enabling attackers to bypass perimeter defenses. Confidentiality is at risk as attackers may intercept or redirect sensitive communications. Integrity can be undermined by injecting malicious configurations or firmware modifications. Availability may be impacted through denial-of-service conditions triggered by malicious commands. Critical infrastructure sectors such as telecommunications, finance, and government agencies relying on Ruijie networking equipment are particularly vulnerable. The potential for widespread disruption is heightened in environments where these routers are deployed at scale or in key network segments. Additionally, the lack of user interaction and low privilege requirements lower the barrier for attackers, increasing the likelihood of exploitation. European organizations must consider the threat in the context of increasing geopolitical tensions and targeted cyberattacks against network infrastructure.

1. Monitor Ruijie’s official channels closely for security advisories and apply firmware updates or patches immediately upon release. 2. Until patches are available, restrict access to the router’s management interfaces by implementing network segmentation and firewall rules limiting POST requests to trusted IP addresses only. 3. Employ intrusion detection/prevention systems (IDS/IPS) to detect anomalous POST requests targeting /usr/local/lua/dev_sta/nbr_cwmp.lua or unusual command execution patterns. 4. Conduct regular audits of router configurations and logs to identify unauthorized changes or suspicious activities. 5. Disable or limit remote management features if not strictly necessary. 6. Use network-level authentication and encryption to reduce exposure of management interfaces. 7. Educate network administrators about the vulnerability and signs of exploitation. 8. Consider deploying network behavior analytics tools to detect lateral movement originating from compromised routers. 9. Develop incident response plans specifically addressing router compromise scenarios. 10. Collaborate with Ruijie support for guidance and potential workarounds until official patches are released.