CVE-2025-56101 is an OS Command Injection vulnerability identified in Ruijie M18 network devices running firmware version EW_3.0(1)B11P226_M18_10223116. The vulnerability resides in the module_get function implemented in the Lua script located at /usr/local/lua/dev_sta/networkConnect.lua. An attacker with low-level privileges can craft a specially designed POST request to this endpoint, which fails to properly sanitize input parameters, allowing arbitrary command execution on the underlying operating system. This type of vulnerability (CWE-78) is critical because it enables attackers to execute system-level commands, potentially leading to full device compromise including data theft, configuration manipulation, or denial of service. The CVSS v3.1 base score of 8.8 reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), requirement for privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers seeking to pivot into internal networks or disrupt network infrastructure. The lack of available patches at the time of disclosure necessitates immediate defensive measures to reduce exposure.

For European organizations, this vulnerability poses a significant threat to network infrastructure security, especially for those deploying Ruijie M18 devices in critical environments such as enterprise networks, data centers, and industrial control systems. Successful exploitation can lead to unauthorized command execution, enabling attackers to exfiltrate sensitive data, alter device configurations, disrupt network services, or establish persistent footholds. Given the high impact on confidentiality, integrity, and availability, organizations could face operational downtime, data breaches, and compliance violations under regulations like GDPR. The requirement for low-level privileges means that insider threats or compromised credentials could be leveraged to exploit this vulnerability. Additionally, the network-accessible nature of the flaw increases the attack surface, potentially allowing remote exploitation from untrusted networks if management interfaces are exposed. This elevates the risk for European entities with remote or hybrid network architectures.

1. Immediately restrict access to the management interfaces of Ruijie M18 devices by implementing network segmentation and firewall rules to limit connections to trusted administrative hosts. 2. Monitor network traffic for anomalous POST requests targeting the module_get endpoint or unusual command execution patterns on affected devices. 3. Employ strong authentication and credential management to prevent unauthorized access, including multi-factor authentication where supported. 4. Disable or restrict Lua scripting capabilities on the device if feasible, or apply input validation controls at the network perimeter. 5. Engage with Ruijie support channels to obtain firmware updates or patches as soon as they become available and prioritize their deployment. 6. Conduct thorough audits of device configurations and logs to detect any signs of compromise or exploitation attempts. 7. Implement intrusion detection/prevention systems (IDS/IPS) with signatures tailored to detect exploitation attempts of this vulnerability. 8. Educate network administrators about this vulnerability and enforce strict operational security practices to minimize risk.