CVE-2025-56088 is a critical OS command injection vulnerability identified in the Ruijie RG-BCR RG-BCR860 network device. The vulnerability exists in the action_service endpoint handled by the Lua script located at /usr/lib/lua/luci/controller/admin/service.lua. By sending a crafted POST request to this endpoint, an attacker can inject arbitrary OS commands, which the device executes with the privileges of the service process. This can lead to complete compromise of the device, allowing attackers to manipulate network traffic, exfiltrate sensitive data, or use the device as a pivot point for further attacks within the network. The vulnerability does not require prior authentication, increasing the attack surface significantly. Although no CVSS score or patches are currently published, the nature of the vulnerability suggests a severe risk. No known exploits have been reported in the wild yet, but the ease of exploitation and potential impact warrant urgent attention. The affected device is commonly deployed in enterprise and service provider environments, making it a valuable target for attackers aiming to disrupt or infiltrate network infrastructure.

For European organizations, exploitation of this vulnerability could result in unauthorized control over critical network devices, leading to data breaches, network downtime, and disruption of services. Attackers could intercept or manipulate network traffic, degrade network performance, or launch further attacks against internal systems. Organizations in sectors such as telecommunications, finance, government, and critical infrastructure that rely on Ruijie RG-BCR860 devices are particularly at risk. The compromise of these devices could also facilitate lateral movement within corporate networks, increasing the scope and severity of potential breaches. Additionally, the lack of authentication requirement means that attackers can exploit this vulnerability remotely if the management interface is exposed, increasing the likelihood of attacks against European entities.

Until an official patch is released, organizations should immediately restrict access to the management interface of Ruijie RG-BCR860 devices by implementing network segmentation and firewall rules to limit access to trusted IP addresses only. Disable remote management if not required, or enforce VPN access for remote administration. Monitor network traffic for unusual POST requests targeting the action_service endpoint and implement intrusion detection/prevention systems with custom signatures to detect exploitation attempts. Conduct thorough audits of device configurations and logs to identify any signs of compromise. Engage with Ruijie support channels to obtain updates on patches or workarounds. Additionally, consider deploying network anomaly detection tools to identify lateral movement or unusual command execution patterns stemming from compromised devices.