CVE-2025-56086 is an OS Command Injection vulnerability identified in the Ruijie RG-EW1200 wireless router firmware version EW_3.0(1)B11P227_EW1200_11130208RG-EW1200 V1.00. The flaw resides in the module_get function within the /usr/local/lua/dev_sta/networkConnect.lua script, which processes POST requests. An attacker with low privileges can craft a malicious POST request that injects arbitrary OS commands, which the device executes with the privileges of the affected process. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that user-supplied input is not properly sanitized before being passed to system command execution functions. The CVSS v3.1 base score is 8.8, reflecting a network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N), with high impact on confidentiality (C:H), integrity (I:H), and availability (A:H). Although no public exploits are currently known, the vulnerability's nature allows attackers to gain full control over the device, potentially pivoting into internal networks or disrupting network services. The vulnerability was reserved in August 2025 and published in December 2025, with no patches currently listed, indicating that organizations must rely on interim mitigations until vendor updates are released.

For European organizations, this vulnerability poses a critical risk to network infrastructure security, especially for those deploying Ruijie RG-EW1200 routers. Exploitation can lead to unauthorized command execution, enabling attackers to manipulate device configurations, intercept or redirect traffic, deploy malware, or cause denial of service. This can compromise sensitive data confidentiality, disrupt business operations, and damage organizational reputation. Industries with stringent data protection requirements, such as finance, healthcare, and government, are particularly vulnerable. The ability to execute commands remotely without user interaction increases the likelihood of automated exploitation attempts, potentially leading to widespread network compromise. Additionally, compromised routers can serve as footholds for lateral movement within corporate networks or as launch points for attacks against other targets, amplifying the threat's impact across European enterprises.

1. Immediately restrict access to the router's management interfaces by implementing network segmentation and firewall rules to limit POST requests to trusted sources only. 2. Monitor network traffic for unusual POST requests targeting /usr/local/lua/dev_sta/networkConnect.lua or the module_get function, using intrusion detection systems or custom signatures. 3. Disable or restrict remote management features if not required to reduce the attack surface. 4. Apply vendor-provided patches or firmware updates as soon as they become available; maintain close communication with Ruijie for timely updates. 5. Conduct regular security audits of network devices to detect unauthorized changes or signs of compromise. 6. Implement strict privilege management on network devices to minimize the impact of potential exploits. 7. Educate network administrators about the vulnerability and encourage vigilance for suspicious device behavior. 8. Consider deploying network-level protections such as web application firewalls or proxy filtering to block malicious payloads targeting this vulnerability.