CVE-2025-56087 is an OS command injection vulnerability identified in the Ruijie RG-BCR RG-BCR600W wireless controller device. The flaw resides in the run_tcpdump function implemented in the Lua script located at /usr/lib/lua/luci/controller/admin/common_tcpdump.lua. An attacker can exploit this vulnerability by sending a crafted POST request to this endpoint, which improperly sanitizes input parameters, allowing arbitrary OS commands to be executed with the privileges of the running service. This can lead to full system compromise, including unauthorized access, data exfiltration, or disruption of network services. The vulnerability is particularly dangerous because it does not require user interaction and may be exploitable remotely if the administrative interface is exposed or accessible within the network. No CVSS score has been assigned yet, and no public exploits have been reported, but the nature of the vulnerability indicates a high risk. The affected device is typically used in enterprise and service provider environments to manage wireless networks, making it a valuable target for attackers aiming to disrupt or infiltrate organizational networks. The lack of available patches at the time of publication increases the urgency for organizations to implement interim mitigations such as network segmentation and access controls.

The impact of CVE-2025-56087 on European organizations could be severe, especially for those relying on Ruijie RG-BCR600W devices for wireless network management. Successful exploitation allows attackers to execute arbitrary commands on the device, potentially leading to full compromise of the device and lateral movement within the network. This could result in unauthorized access to sensitive data, disruption of wireless network services, and the introduction of persistent backdoors. Critical infrastructure sectors, enterprises, and service providers using these devices may face operational downtime, data breaches, and reputational damage. Given the device’s role in network management, the vulnerability could also be leveraged to launch further attacks against connected systems. The absence of known exploits currently provides a window for mitigation, but the risk remains high due to the ease of exploitation and the critical nature of the affected device.

1. Immediately restrict access to the administrative interface of the Ruijie RG-BCR600W devices to trusted networks and IP addresses using firewall rules and network segmentation. 2. Disable or restrict access to the run_tcpdump functionality if possible until a patch is available. 3. Monitor network traffic for unusual POST requests targeting the /usr/lib/lua/luci/controller/admin/common_tcpdump.lua endpoint, especially those containing suspicious payloads. 4. Implement strong authentication and access controls on the device management interfaces to prevent unauthorized access. 5. Engage with Ruijie Networks for timely updates and patches addressing this vulnerability and apply them as soon as they become available. 6. Conduct regular security audits and vulnerability assessments on network infrastructure devices to detect and remediate similar issues proactively. 7. Educate network administrators about the risks of exposing management interfaces to untrusted networks and enforce best practices for device hardening.