CVE-2025-56088 is an OS Command Injection vulnerability identified in the Ruijie RG-BCR RG-BCR860 network device. The flaw resides in the action_service endpoint implemented in the Lua script located at /usr/lib/lua/luci/controller/admin/service.lua. An attacker with low privileges can craft a malicious POST request to this endpoint, injecting arbitrary operating system commands that the device executes. This vulnerability is classified under CWE-78, indicating improper neutralization of special elements used in OS commands. The CVSS 3.1 base score of 8.8 reflects its high severity, with an attack vector over the network (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation could allow attackers to gain control over the device, manipulate configurations, intercept or disrupt network traffic, and potentially pivot to internal networks. No patches or known exploits are currently reported, but the vulnerability's nature demands urgent attention. The affected device is commonly used in enterprise and service provider environments, making this a critical risk for network infrastructure security.

For European organizations, exploitation of CVE-2025-56088 could lead to severe consequences including unauthorized access to sensitive network infrastructure, disruption of critical services, and potential lateral movement within corporate networks. Compromise of Ruijie RG-BCR860 devices could result in interception or manipulation of network traffic, leading to data breaches or denial of service conditions. Given the device’s role in network management, attackers could alter routing, firewall rules, or monitoring configurations, severely impacting operational continuity. This is particularly concerning for sectors with stringent data protection requirements such as finance, healthcare, and government agencies across Europe. The high severity and network-based attack vector increase the likelihood of targeted attacks, especially in environments where these devices are deployed at the network edge or in data centers. The absence of known exploits does not diminish the risk, as the vulnerability is straightforward to exploit and could be weaponized rapidly once publicized.

1. Immediately restrict access to the management interfaces of Ruijie RG-BCR860 devices, limiting connections to trusted IP addresses and internal networks only. 2. Implement strict network segmentation to isolate vulnerable devices from critical infrastructure and sensitive data environments. 3. Monitor network traffic for unusual POST requests to the action_service endpoint or other suspicious activity indicative of command injection attempts. 4. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or anomaly detection tuned to identify exploitation attempts targeting this vulnerability. 5. Engage with Ruijie Networks for official patches or firmware updates addressing CVE-2025-56088 and apply them promptly once available. 6. Conduct regular security audits and vulnerability assessments on network devices to detect and remediate similar issues proactively. 7. Educate network administrators on the risks of command injection and the importance of secure configuration and access controls. 8. Consider deploying application-layer firewalls or web application firewalls (WAFs) that can filter malicious payloads in HTTP POST requests targeting the vulnerable endpoint.