CVE-2025-56090 is a critical OS Command Injection vulnerability identified in the Ruijie RG-EW1200G PRO series of network devices, spanning firmware versions V1.00 through V4.00. The flaw resides in the handling of POST requests to the module_set endpoint within the Lua script located at /usr/local/lua/dev_config/config_retain.lua. An attacker can craft a malicious POST request that injects arbitrary operating system commands, which the device executes with the privileges of the affected service. This type of vulnerability allows remote attackers to gain unauthorized control over the device, potentially leading to full system compromise. The vulnerability does not require authentication, making it exploitable by any remote actor with network access to the device’s management interface. No CVSS score has been assigned yet, and no patches or official mitigations have been published, increasing the urgency for defensive measures. Although no known exploits are currently in the wild, the simplicity of exploitation and the critical nature of the vulnerability make it a significant threat. The affected devices are typically used in enterprise and service provider environments, where compromise could disrupt network operations, leak sensitive data, or serve as a foothold for further attacks within an organization’s network.

For European organizations, exploitation of CVE-2025-56090 could result in severe operational and security consequences. Attackers gaining arbitrary command execution on Ruijie RG-EW1200G PRO devices could disrupt network availability by disabling or reconfiguring critical network functions. Confidentiality could be compromised if attackers extract sensitive configuration data or intercept network traffic. Integrity risks include unauthorized changes to device settings or firmware, potentially enabling persistent backdoors or lateral movement within the network. Given the lack of authentication requirements, attackers could exploit this vulnerability remotely, increasing the attack surface. Organizations relying on these devices for critical infrastructure, such as telecommunications providers, government agencies, or large enterprises, could face significant downtime and data breaches. The absence of patches means that mitigation relies heavily on network-level controls and monitoring, which may not be uniformly implemented across all European entities, increasing exposure.

1. Immediately restrict access to the management interfaces of Ruijie RG-EW1200G PRO devices to trusted internal networks only, using network segmentation and firewall rules. 2. Implement strict ingress filtering to block unauthorized POST requests to the module_set endpoint or any suspicious HTTP traffic targeting device management interfaces. 3. Deploy intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect and alert on anomalous POST requests or command injection patterns targeting the Lua script path. 4. Monitor device logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected command execution or configuration changes. 5. Coordinate with Ruijie Networks for official patches or firmware updates and apply them promptly once available. 6. Consider temporary device isolation or replacement if critical infrastructure depends on these devices and no immediate patch is available. 7. Educate network administrators about this vulnerability and enforce strict operational security policies around device management. 8. Conduct regular vulnerability scans and penetration tests focusing on network device security to identify and remediate similar risks proactively.