CVE-2025-56089 is an OS command injection vulnerability identified in the Ruijie M18 network device firmware version EW_3.0(1)B11P226_M18_10223116. The flaw resides in the module_set functionality implemented in the Lua script located at /usr/local/lua/dev_sta/nbr_cwmp.lua. An attacker with network access and low privileges can send a crafted POST request to this endpoint, which fails to properly sanitize input, allowing arbitrary operating system commands to be executed with the privileges of the affected process. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that user-supplied input is directly passed to system commands without adequate validation or escaping. The CVSS v3.1 base score of 8.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, combined with its network attack vector and lack of required user interaction. While no public exploits have been reported yet, the nature of the vulnerability makes it a prime candidate for exploitation once weaponized. The affected Ruijie M18 devices are commonly deployed in enterprise and service provider networks, making this a critical concern for network security. The vulnerability allows attackers to potentially gain full control over the device, manipulate network traffic, disrupt services, or pivot to internal networks, posing a severe threat to organizational security.

For European organizations, exploitation of CVE-2025-56089 could lead to complete compromise of affected Ruijie M18 devices, which are often used as network routers or access points. This could result in unauthorized access to sensitive data, interception or manipulation of network traffic, and disruption of critical network services. Given the high privileges typically associated with such devices, attackers could establish persistent footholds, launch further attacks within the internal network, or cause denial of service conditions. The impact is particularly severe for sectors relying heavily on network availability and integrity, such as finance, telecommunications, healthcare, and government. Additionally, compromised network infrastructure devices can undermine trust in organizational security postures and lead to regulatory non-compliance under GDPR and other European data protection laws. The absence of known public exploits currently provides a window for proactive defense, but the vulnerability’s characteristics suggest that exploitation could become widespread if not addressed promptly.

1. Immediate network segmentation to isolate Ruijie M18 devices from untrusted networks and limit access to management interfaces. 2. Implement strict access control lists (ACLs) and firewall rules to restrict POST requests to the vulnerable module_set endpoint only to authorized management hosts. 3. Monitor network traffic for anomalous POST requests targeting /usr/local/lua/dev_sta/nbr_cwmp.lua or unusual command execution patterns on Ruijie devices. 4. Engage with Ruijie Networks support to obtain firmware updates or patches addressing this vulnerability; if unavailable, consider temporary device replacement or disabling vulnerable services. 5. Employ intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect exploitation attempts. 6. Enforce multi-factor authentication and strong credential policies for device management to reduce risk from compromised credentials. 7. Conduct regular security audits and vulnerability assessments on network infrastructure to identify and remediate similar risks. 8. Prepare incident response plans specifically for network device compromise scenarios to enable rapid containment and recovery.