CVE-2025-56090 is an OS command injection vulnerability identified in Ruijie RG-EW1200G PRO wireless access points running firmware versions V1.00 through V4.00. The flaw resides in the /usr/local/lua/dev_config/config_retain.lua file, specifically in the module_set functionality that processes POST requests. An attacker with low-level privileges can craft a malicious POST request that injects arbitrary operating system commands, which the device executes with the privileges of the affected service. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that input validation is insufficient or absent, allowing command injection. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Although no public exploits have been reported, the vulnerability's characteristics suggest it could be weaponized to gain full control over the device, disrupt network services, or pivot into internal networks. The vulnerability affects multiple firmware versions, indicating a broad attack surface. The absence of published patches at the time of disclosure necessitates immediate compensating controls.

For European organizations, the exploitation of CVE-2025-56090 could lead to severe consequences including unauthorized access to network infrastructure, data breaches, and disruption of critical network services. Compromise of Ruijie RG-EW1200G PRO devices could allow attackers to intercept or manipulate network traffic, deploy malware, or establish persistent footholds within enterprise environments. This is particularly concerning for sectors such as telecommunications, government, finance, and critical infrastructure operators that rely on these devices for secure wireless connectivity. The high severity and ease of exploitation mean that attackers could rapidly compromise vulnerable devices remotely, potentially leading to widespread operational disruptions and data loss. The lack of known exploits currently provides a limited window for proactive defense, but also indicates the need for urgent patching and monitoring to prevent future attacks.

1. Immediately restrict access to the management interfaces of Ruijie RG-EW1200G PRO devices to trusted IP addresses and networks, ideally isolating them from the public internet. 2. Implement network segmentation to limit the exposure of vulnerable devices and reduce lateral movement opportunities. 3. Monitor network traffic for unusual POST requests targeting the /usr/local/lua/dev_config/config_retain.lua module_set endpoint, using IDS/IPS or custom detection rules. 4. Apply vendor-supplied patches or firmware updates as soon as they become available; in the absence of patches, consider temporary device replacement or removal from critical network segments. 5. Enforce strict input validation and command execution policies on affected devices if configurable. 6. Conduct regular vulnerability scans and penetration tests focusing on Ruijie devices to identify potential exploitation attempts. 7. Educate network administrators about this vulnerability and the importance of monitoring and access controls. 8. Maintain up-to-date asset inventories to quickly identify and remediate affected devices.