CVE-2025-56110 is an OS command injection vulnerability identified in the Ruijie RG-BCR RG-BCR860 network device. The flaw exists in the Lua script handling the action_deal_update function within the rcmsAPI.lua controller file. Specifically, the vulnerability arises because user-supplied input in a crafted POST request is not properly sanitized or validated before being passed to system-level command execution functions. This allows an attacker with low privileges (PR:L) to inject arbitrary OS commands remotely over the network (AV:N) without requiring user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H) of the device, potentially allowing full system compromise, data exfiltration, or denial of service. The vulnerability is rated with a CVSS 3.1 score of 8.8, reflecting its high severity and ease of exploitation. Although no public exploits have been reported yet, the presence of this vulnerability in network infrastructure devices poses a significant risk, especially in environments where these devices are exposed or insufficiently protected. The CWE-78 classification confirms this is a classic OS command injection issue, which is a critical security flaw in web-facing applications or APIs. The lack of available patches at the time of publication necessitates immediate mitigation efforts by affected organizations.

For European organizations, exploitation of CVE-2025-56110 could lead to severe consequences including unauthorized control over network devices, interception or manipulation of network traffic, disruption of critical services, and potential lateral movement within internal networks. Given that Ruijie RG-BCR860 devices are used in enterprise and possibly governmental networks, attackers could leverage this vulnerability to compromise sensitive data or disrupt operations. The high severity and network-exploitable nature mean that attackers can remotely execute commands without user interaction, increasing the risk of automated or targeted attacks. This could impact sectors such as telecommunications, finance, public administration, and critical infrastructure providers across Europe. The compromise of network devices also undermines trust in network security and can facilitate further attacks on connected systems.

1. Immediately restrict network access to the management interfaces of Ruijie RG-BCR860 devices, limiting exposure to trusted IP addresses only. 2. Implement strict firewall rules and network segmentation to isolate these devices from untrusted networks, including the internet. 3. Monitor network traffic for unusual POST requests targeting the /usr/lib/lua/luci/controller/api/rcmsAPI.lua endpoint, especially those invoking action_deal_update. 4. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect command injection attempts. 5. Regularly audit device configurations and logs for signs of compromise or suspicious activity. 6. Engage with Ruijie Networks for official patches or firmware updates addressing this vulnerability and apply them promptly once available. 7. Consider deploying application-layer gateways or web application firewalls (WAFs) capable of filtering malicious payloads targeting the vulnerable API. 8. Educate network administrators about the risks and signs of exploitation to enhance incident response readiness.