CVE-2025-56085 is an OS Command Injection vulnerability identified in the Ruijie RG-EW1200 wireless device firmware version EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00. The flaw exists in the module_set functionality implemented in the Lua script located at /usr/local/lua/dev_config/config_retain.lua. An attacker with low privileges can craft a specially designed POST request targeting this module_set endpoint to inject arbitrary operating system commands. This injection occurs due to insufficient sanitization of user-supplied input, classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability allows remote code execution without requiring user interaction, and no authentication beyond low privilege is needed, making exploitation relatively straightforward over the network. The CVSS v3.1 base score of 8.8 reflects high impact on confidentiality, integrity, and availability, as attackers can fully control the device, potentially pivoting into internal networks or disrupting wireless services. Although no known exploits are currently in the wild, the vulnerability’s characteristics suggest it could be weaponized rapidly. The absence of published patches at the time of disclosure necessitates immediate defensive measures. The Ruijie RG-EW1200 is commonly deployed in enterprise and critical infrastructure environments, increasing the potential impact of exploitation. This vulnerability highlights the need for rigorous input validation and secure coding practices in embedded device firmware, especially for network management interfaces exposed to untrusted networks.

For European organizations, exploitation of CVE-2025-56085 could lead to complete compromise of affected Ruijie RG-EW1200 devices, resulting in unauthorized access to internal networks, data exfiltration, disruption of wireless connectivity, and potential lateral movement to other critical systems. Given the device’s role in network infrastructure, attackers could intercept or manipulate sensitive communications, degrade service availability, or establish persistent footholds. This is particularly concerning for sectors such as telecommunications, government, healthcare, and critical infrastructure operators where Ruijie devices may be deployed. The high CVSS score indicates severe consequences, including loss of confidentiality, integrity, and availability. The ease of exploitation without user interaction or high privileges increases the likelihood of targeted attacks or automated scanning campaigns. European organizations relying on these devices must consider the risk of espionage, sabotage, or ransomware attacks facilitated by this vulnerability. The lack of an official patch at disclosure time further elevates risk exposure.

1. Immediately restrict access to the management interfaces of Ruijie RG-EW1200 devices to trusted networks only, using network segmentation and firewall rules. 2. Monitor network traffic for unusual POST requests targeting the module_set endpoint or other suspicious activity indicative of command injection attempts. 3. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection patterns specific to this vulnerability. 4. Disable or limit remote management features where feasible until a vendor patch is available. 5. Engage with Ruijie support channels to obtain official patches or firmware updates as soon as they are released and prioritize their deployment. 6. Conduct thorough audits of device configurations and logs to identify any signs of compromise. 7. Implement strict input validation and sanitization controls if custom scripts or configurations interact with the vulnerable module. 8. Educate network administrators about the vulnerability and the importance of rapid response to suspicious device behavior. 9. Consider temporary replacement or isolation of vulnerable devices in critical environments until patched. 10. Maintain an up-to-date asset inventory to quickly identify affected devices across the organization.