CVE-2025-56097 is an OS command injection vulnerability identified in the Ruijie RG-EW1800GX PRO router firmware, specifically in the B11P226_EW1800GX-PRO_10223117 build. The vulnerability resides in the module_set functionality within the /usr/local/lua/dev_config/config_retain.lua script. An attacker with low privileges (PR:L) can send a specially crafted POST request to this endpoint, which fails to properly sanitize input, allowing arbitrary OS commands to be executed on the underlying system. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N). The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This means an attacker could potentially take full control of the device, manipulate configurations, intercept or alter network traffic, or disrupt network services. Although no public exploits are currently known, the vulnerability’s nature and ease of exploitation make it a critical concern. The affected device is a network router commonly deployed in enterprise and possibly critical infrastructure environments, making the potential impact significant. The vulnerability is categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a common and dangerous class of injection flaws. No patches or firmware updates are currently linked, indicating that mitigation may require vendor intervention or temporary network controls.

For European organizations, the impact of CVE-2025-56097 is substantial. Compromise of the Ruijie RG-EW1800GX PRO routers could lead to unauthorized access to internal networks, interception or manipulation of sensitive data, and disruption of critical network services. This is particularly concerning for sectors such as finance, telecommunications, government, and critical infrastructure, where network integrity and confidentiality are paramount. Attackers could leverage this vulnerability to establish persistent footholds, launch further attacks, or exfiltrate data. The high severity and remote exploitability increase the risk of widespread attacks, especially if the vulnerability becomes publicly exploited. Given the router’s role as a network gateway, exploitation could also facilitate lateral movement within corporate networks, amplifying the damage. The lack of available patches at the time of disclosure necessitates immediate compensating controls to reduce exposure.

1. Immediately restrict network access to the management interfaces of Ruijie RG-EW1800GX PRO routers, especially blocking external access to the module_set endpoint or related management URLs. 2. Implement strict firewall rules and network segmentation to isolate vulnerable devices from critical network segments. 3. Monitor network traffic for unusual POST requests targeting /usr/local/lua/dev_config/config_retain.lua or abnormal command execution patterns. 4. Engage with Ruijie Networks to obtain firmware updates or security advisories addressing this vulnerability; prioritize applying patches once available. 5. Employ intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect exploitation attempts targeting this vulnerability. 6. Conduct thorough audits of affected devices to detect signs of compromise, including unauthorized configuration changes or unexpected processes. 7. Educate network administrators about this vulnerability and enforce the principle of least privilege for device management accounts to limit exploitation potential. 8. Consider temporary replacement or isolation of vulnerable devices in high-risk environments until a patch is deployed.