CVE-2025-56087 is an OS command injection vulnerability identified in the Ruijie RG-BCR RG-BCR600W network device. The flaw resides in the run_tcpdump function implemented in the Lua script located at /usr/lib/lua/luci/controller/admin/common_tcpdump.lua. An attacker with low privileges can send a crafted POST request that injects arbitrary OS commands, which the device executes with the privileges of the affected service. This vulnerability stems from improper input validation and sanitization of parameters passed to system-level commands, classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The CVSS v3.1 base score is 8.8, reflecting network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are currently documented, the ease of exploitation and critical impact make this a significant threat. The vulnerability could allow attackers to gain full control over the device, manipulate network traffic, disrupt services, or pivot into internal networks. The absence of available patches at the time of publication increases the urgency for mitigations.

For European organizations, exploitation of CVE-2025-56087 could lead to severe consequences including unauthorized command execution on critical network devices, resulting in data breaches, network disruption, and loss of service availability. Given the device’s role in network management and traffic monitoring, attackers could intercept or manipulate sensitive communications, degrade network performance, or establish persistent footholds for further attacks. Enterprises, government agencies, and critical infrastructure operators using Ruijie RG-BCR600W devices are particularly vulnerable. The compromise of such devices could facilitate lateral movement within networks, impacting confidentiality and integrity of data and potentially causing cascading failures in dependent systems. The high CVSS score underscores the potential for widespread operational impact and data compromise across affected European entities.

Immediate mitigation steps include restricting access to the device’s management interfaces to trusted networks only, employing network segmentation to isolate vulnerable devices, and monitoring network traffic for anomalous POST requests targeting the run_tcpdump endpoint. Administrators should implement strict input validation and filtering at network boundaries where possible. Until an official patch is released, consider disabling or restricting the affected functionality if feasible. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures tailored to detect exploitation attempts of this vulnerability. Regularly audit device configurations and logs for signs of compromise. Engage with Ruijie support channels to obtain updates on patch availability and apply them promptly once released. Additionally, conduct security awareness training for network administrators to recognize and respond to exploitation indicators.