CVE-2025-56097 is a critical OS command injection vulnerability identified in the Ruijie RG-EW1800GX PRO router firmware, specifically within the Lua script located at /usr/local/lua/dev_config/config_retain.lua. The vulnerability arises from improper input validation in the module_set function, which processes POST requests. An attacker can craft a malicious POST request to this endpoint, injecting arbitrary OS commands that the device executes with elevated privileges. This flaw effectively allows remote code execution without requiring authentication or user interaction, making it highly exploitable. The Ruijie RG-EW1800GX PRO is a high-performance enterprise-grade wireless router commonly deployed in corporate and governmental networks. Exploitation could lead to full device compromise, enabling attackers to manipulate network traffic, exfiltrate sensitive data, or pivot to internal systems. Although no public exploits or patches have been released as of the publication date, the vulnerability's nature demands urgent attention. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability factors. The vulnerability impacts confidentiality by exposing sensitive configuration and network data, integrity by allowing unauthorized command execution, and availability by potentially disrupting device operations. The scope includes all devices running the affected firmware version, with no authentication barrier. This vulnerability represents a significant risk to organizations relying on Ruijie networking equipment, especially those with exposed management interfaces.

For European organizations, the impact of CVE-2025-56097 could be severe. Compromise of the Ruijie RG-EW1800GX PRO routers may lead to unauthorized access to internal networks, interception or manipulation of network traffic, and disruption of critical communication infrastructure. Enterprises and government agencies using these devices could face data breaches, espionage, or operational outages. The vulnerability's ability to execute arbitrary commands remotely without authentication increases the likelihood of widespread exploitation, especially in environments where device management interfaces are accessible from untrusted networks. Additionally, attackers could leverage compromised routers as footholds for lateral movement, escalating attacks within the organization's IT environment. The lack of available patches means organizations must rely on network-level controls and monitoring to mitigate risk. Given Ruijie's presence in European markets, particularly in sectors prioritizing cost-effective yet robust networking solutions, the threat is material. Failure to address this vulnerability promptly could result in significant financial, reputational, and regulatory consequences under EU data protection laws.

1. Immediately restrict access to the management interfaces of Ruijie RG-EW1800GX PRO routers, ensuring they are not exposed to untrusted networks or the internet. 2. Implement network segmentation to isolate critical infrastructure and limit the impact of a compromised device. 3. Deploy intrusion detection and prevention systems (IDS/IPS) with signatures or heuristics to detect anomalous POST requests targeting the module_set endpoint or unusual command execution patterns. 4. Monitor router logs for suspicious activity, including unexpected POST requests or command execution traces. 5. Engage with Ruijie support or authorized vendors to obtain firmware updates or patches as soon as they become available. 6. If patching is delayed, consider temporary device replacement or enhanced compensating controls such as VPN-only management access and multi-factor authentication for administrative interfaces. 7. Conduct regular security audits and penetration testing focusing on network devices to identify and remediate similar vulnerabilities proactively. 8. Educate IT staff on the specifics of this vulnerability to improve detection and response capabilities.