CVE-2025-56096 is an OS command injection vulnerability identified in the Ruijie RG-BCR RG-BCR600W wireless controller device. The vulnerability resides in the restart_modules function within the Lua controller script located at /usr/lib/lua/luci/controller/admin/common.lua. An attacker can exploit this flaw by sending a specially crafted POST request to the restart_modules endpoint, which fails to properly sanitize input parameters before passing them to system command execution functions. This lack of input validation enables arbitrary command execution on the underlying operating system with the privileges of the affected service, potentially root or administrative level. The vulnerability does not currently have a CVSS score or publicly available patches, and no exploits have been observed in the wild. However, given the nature of OS command injection vulnerabilities, exploitation could allow attackers to fully compromise the device, manipulate network traffic, disrupt services, or pivot into internal networks. The affected device is typically deployed in enterprise and service provider environments for network management and wireless access control, making it a high-value target. The vulnerability was reserved in August 2025 and published in December 2025, indicating recent discovery and disclosure. Due to the critical role of such devices in network infrastructure, exploitation could have severe operational impacts.

For European organizations, exploitation of CVE-2025-56096 could lead to complete compromise of the Ruijie RG-BCR600W device, resulting in unauthorized access to network management functions, interception or manipulation of network traffic, and potential lateral movement within corporate networks. This could disrupt business operations, degrade network availability, and expose sensitive data. Critical infrastructure sectors such as telecommunications, finance, and government agencies relying on Ruijie devices for wireless network management are particularly at risk. The vulnerability could also be leveraged to launch further attacks against connected systems or to establish persistent footholds within enterprise environments. The absence of known exploits currently reduces immediate risk, but the ease of exploitation via network requests and the high privileges likely obtained upon successful attack elevate the threat level. European organizations with limited network segmentation or weak access controls on management interfaces face greater exposure.

1. Immediately restrict access to the administrative interface of Ruijie RG-BCR600W devices by implementing network segmentation and firewall rules to limit management traffic only to trusted hosts or VPNs. 2. Monitor network traffic for unusual POST requests targeting the restart_modules endpoint or other administrative Lua controller scripts, using IDS/IPS or SIEM solutions. 3. Engage with Ruijie Networks for official patches or firmware updates addressing CVE-2025-56096 and apply them promptly once available. 4. Implement strong authentication and multi-factor authentication on device management interfaces to reduce unauthorized access risk. 5. Conduct regular vulnerability scans and penetration tests focusing on network management devices to identify potential exploitation attempts. 6. Maintain up-to-date asset inventories to quickly identify affected devices and prioritize remediation efforts. 7. Educate network administrators about this vulnerability and the importance of monitoring and restricting access to critical network infrastructure components.