CVE-2025-56111 is an OS command injection vulnerability identified in the Ruijie RG-BCR RG-BCR860 network device. The flaw exists in the handling of POST requests to the network_set_wan_conf function within the Lua script located at /usr/lib/lua/luci/controller/admin/netport.lua. An attacker with low privileges can craft a malicious POST request that injects arbitrary OS commands, which the system executes with the privileges of the affected service. This vulnerability stems from improper input validation and sanitization of user-supplied data, classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The CVSS v3.1 base score of 8.8 reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability allows attackers to gain control over the device, potentially leading to network disruption, data exfiltration, or pivoting to other internal systems. No patches or exploits are currently reported, but the severity and ease of exploitation make this a critical issue for affected users.

For European organizations, exploitation of this vulnerability could lead to severe consequences including unauthorized control over network devices, disruption of WAN configurations, and potential lateral movement within corporate networks. This can compromise sensitive data confidentiality, integrity of network configurations, and availability of critical network services. Organizations relying on Ruijie RG-BCR860 devices for WAN connectivity or critical infrastructure may face operational outages or data breaches. The vulnerability's ability to execute arbitrary commands remotely without user interaction increases the risk of automated or targeted attacks. Given the high CVSS score and the critical role of network devices in enterprise environments, the impact on European businesses, especially those in finance, telecommunications, and government sectors, could be substantial.

1. Immediately restrict network access to the management interface of Ruijie RG-BCR860 devices, limiting it to trusted IP addresses and secure management VLANs. 2. Implement strict firewall rules to block unauthorized POST requests targeting the network_set_wan_conf endpoint. 3. Monitor network traffic for anomalous POST requests or unusual command execution patterns related to the affected Lua script. 4. Engage with Ruijie Networks for official patches or firmware updates addressing CVE-2025-56111 and apply them promptly once available. 5. Conduct regular security audits and penetration tests focusing on network device configurations and access controls. 6. Employ network segmentation to isolate critical devices and limit the blast radius in case of compromise. 7. Educate network administrators on recognizing signs of exploitation and maintaining secure device configurations. 8. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect exploitation attempts targeting this vulnerability.