CVE-2025-56095 is an OS Command Injection vulnerability found in Ruijie RG-EW1200G PRO routers, affecting firmware versions V1.00 through V4.00. The vulnerability resides in the module_set function within the /usr/local/lua/dev_sta/nbr_cwmp.lua file. An attacker can exploit this by sending a specially crafted POST request to this endpoint, which fails to properly sanitize input, allowing arbitrary OS command execution on the underlying device. This type of vulnerability is critical because it enables attackers to execute commands with the privileges of the router's web server process, potentially leading to full device compromise. The vulnerability does not require user interaction but does require network access to the affected device, typically via the management interface. No public exploits or patches are currently available, and no CVSS score has been assigned yet. The flaw could be leveraged to disrupt network operations, intercept or manipulate traffic, or pivot to internal networks. The lack of authentication details suggests that if the management interface is exposed or accessible internally, the risk is elevated. This vulnerability highlights the importance of secure coding practices in embedded device firmware, especially for network infrastructure devices.

For European organizations, the impact of CVE-2025-56095 could be severe. Compromise of Ruijie RG-EW1200G PRO routers could lead to unauthorized access to internal networks, interception or manipulation of sensitive data, and disruption of network availability. Critical sectors such as finance, healthcare, telecommunications, and government agencies relying on these routers may experience operational downtime or data breaches. The ability to execute arbitrary commands on the router could allow attackers to install persistent malware, create backdoors, or launch further attacks within the network. Given the central role of routers in network traffic routing and security, exploitation could undermine confidentiality, integrity, and availability of organizational IT assets. The threat is exacerbated if management interfaces are exposed to untrusted networks or if network segmentation is weak. Additionally, the absence of patches increases the window of exposure until mitigations are implemented.

1. Immediately restrict access to the router’s management interface to trusted networks only, preferably via VPN or secure management VLANs. 2. Monitor network traffic for unusual POST requests targeting the /usr/local/lua/dev_sta/nbr_cwmp.lua module_set endpoint, using IDS/IPS solutions with custom signatures. 3. Disable remote management interfaces if not strictly necessary. 4. Implement network segmentation to isolate critical infrastructure and limit lateral movement in case of compromise. 5. Once available, promptly apply firmware updates or patches released by Ruijie addressing this vulnerability. 6. Conduct regular security audits of network devices to identify unauthorized configuration changes or suspicious activity. 7. Employ strong authentication and access controls for device management. 8. Consider deploying endpoint detection and response (EDR) solutions to detect anomalous behavior originating from compromised routers. 9. Engage with Ruijie support or vendors for timely vulnerability disclosures and mitigation guidance.