CVE-2025-56106 is an operating system command injection vulnerability affecting the Ruijie RG-EW1800GX router firmware version B11P226_EW1800GX_10223121. The flaw resides in the module_set function implemented in the Lua script located at /usr/local/lua/dev_sta/nbr_cwmp.lua. An attacker can exploit this vulnerability by crafting a malicious POST request targeting this module, which allows arbitrary OS command execution on the device. This type of vulnerability is critical because it enables remote attackers to execute commands with the privileges of the affected process, potentially leading to full device compromise. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely. Although no known public exploits or patches are currently available, the risk is high given the nature of the flaw and the device’s role in network infrastructure. The Ruijie RG-EW1800GX is a network router commonly used in enterprise and service provider environments, which could lead to significant disruption if compromised. The lack of a CVSS score necessitates an assessment based on impact and exploitability factors, indicating a high severity rating. The vulnerability could be leveraged to disrupt network operations, intercept or alter data, or pivot into internal networks, posing a serious threat to affected organizations.

For European organizations, exploitation of CVE-2025-56106 could result in unauthorized control over critical network infrastructure, leading to potential data breaches, network outages, and lateral movement within corporate networks. Confidentiality could be compromised through interception or manipulation of network traffic. Integrity risks arise from the possibility of attackers altering device configurations or injecting malicious payloads. Availability could be impacted if attackers disrupt routing or firewall functions, causing denial-of-service conditions. Given the router’s role in enterprise and service provider networks, successful exploitation could affect large numbers of users and services. The absence of authentication requirements increases the likelihood of remote exploitation, raising the threat level for organizations relying on Ruijie devices. Additionally, the lack of patches or mitigations at the time of disclosure means organizations must act swiftly to prevent exploitation. The impact is particularly severe for sectors with stringent uptime and data protection requirements, such as finance, healthcare, and critical infrastructure.

Organizations should immediately inventory their network devices to identify any Ruijie RG-EW1800GX routers in use. Until an official patch is released, network administrators should implement strict ingress filtering to block suspicious POST requests targeting the vulnerable module_set endpoint. Deploying web application firewalls (WAFs) or intrusion prevention systems (IPS) with custom rules to detect and block command injection patterns in HTTP POST requests can reduce exposure. Network segmentation should be enforced to limit access to management interfaces from untrusted networks. Monitoring network traffic and device logs for unusual activity related to the Lua script or POST requests can help detect exploitation attempts early. Organizations should engage with Ruijie support channels to obtain firmware updates or advisories. Additionally, consider temporary replacement or isolation of vulnerable devices in critical environments. Employee awareness and incident response plans should be updated to address potential exploitation scenarios. Finally, maintain regular backups of device configurations to enable rapid recovery if compromise occurs.