CVE-2025-56098 is an OS Command Injection vulnerability identified in the Ruijie X30-PRO router firmware version X30-PRO-V1_09241521. The flaw exists in the module_get function located in the /usr/local/lua/dev_sta/networkConnect.lua script. An attacker with low privileges can send a specially crafted POST request to this endpoint, which fails to properly sanitize input before passing it to system-level commands. This allows arbitrary command execution on the underlying operating system, potentially leading to full device compromise. The vulnerability is characterized by a CVSS v3.1 score of 8.8, indicating high severity with network attack vector, low attack complexity, and no user interaction required. The impact includes full confidentiality, integrity, and availability loss on the device. Although no public exploits are known yet, the nature of the vulnerability and the device’s role as a network infrastructure component make it a critical risk. The weakness corresponds to CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a common and dangerous class of injection flaws. The vulnerability was reserved in August 2025 and published in December 2025, with no patches currently listed, emphasizing the need for immediate mitigation measures.

For European organizations, this vulnerability poses a significant threat to network infrastructure security. Ruijie X30-PRO devices are often deployed in enterprise and service provider environments, where compromise could lead to unauthorized access to internal networks, interception or manipulation of sensitive data, and disruption of network services. The ability to execute arbitrary commands remotely can enable attackers to install persistent backdoors, pivot to other systems, or launch denial-of-service attacks. Given the high CVSS score and the critical role of routers in network traffic management, exploitation could result in severe operational and reputational damage. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure are particularly at risk due to the strategic importance of their network devices. The lack of known exploits currently provides a window for proactive defense, but the ease of exploitation and network accessibility make rapid response essential.

1. Immediately inventory and identify all Ruijie X30-PRO devices within the network environment. 2. Monitor Ruijie’s official channels for firmware updates or patches addressing CVE-2025-56098 and apply them promptly upon release. 3. Until patches are available, restrict network access to management interfaces of affected devices using firewall rules and network segmentation to limit exposure. 4. Implement intrusion detection/prevention systems (IDS/IPS) with signatures or anomaly detection capable of identifying suspicious POST requests targeting the module_get endpoint. 5. Conduct regular audits of device configurations and logs to detect unusual command execution or unauthorized access attempts. 6. Employ network-level filtering to block malformed or unexpected POST requests to the vulnerable endpoint. 7. Educate network administrators about the vulnerability and enforce strict access controls and multi-factor authentication for device management. 8. Consider temporary replacement or isolation of vulnerable devices in high-risk environments until a secure firmware version is deployed.