CVE-2025-56113 is an OS Command Injection vulnerability identified in Ruijie RG-YST EST devices running YSTAP_3.0(1)B11P280YST250F V1.xxV2.xx firmware versions. The vulnerability resides in the pwdmodify function within the Lua script located at /usr/lib/lua/luci/modules/common.lua. An attacker with low privileges (PR:L) can send a specially crafted POST request to this endpoint, which fails to properly sanitize input, allowing arbitrary OS command execution. The vulnerability is remotely exploitable over the network (AV:N) without requiring user interaction (UI:N). The CVSS v3.1 score is 8.8, indicating high severity, with impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). This means an attacker can potentially take full control of the affected device, manipulate data, disrupt services, or use the device as a pivot point for further network compromise. Although no public exploits are currently known, the vulnerability's nature and ease of exploitation make it a critical concern. The CWE-78 classification confirms it is a classic OS command injection flaw due to improper input validation. The lack of available patches at the time of publication necessitates immediate risk mitigation through network controls and monitoring.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Ruijie RG-YST EST devices in their network infrastructure. Successful exploitation can lead to full device compromise, enabling attackers to intercept or manipulate sensitive data, disrupt network services, or establish persistent footholds within corporate networks. This could affect confidentiality of communications, integrity of network configurations, and availability of critical network services. Given the high CVSS score and remote exploitability, critical infrastructure sectors such as finance, telecommunications, government, and energy in Europe could face severe operational disruptions and data breaches. The vulnerability's exploitation could also facilitate lateral movement and further attacks within organizational networks, amplifying the impact. The absence of known exploits currently provides a window for proactive defense, but the risk of rapid weaponization remains high.

European organizations should immediately restrict access to the management interfaces of Ruijie RG-YST EST devices, ideally limiting connections to trusted internal networks or VPNs. Implement strict network segmentation to isolate these devices from general user networks. Employ intrusion detection and prevention systems (IDS/IPS) with signatures or anomaly detection tuned to identify unusual POST requests targeting the pwdmodify endpoint or suspicious command injection patterns. Monitor logs for repeated or malformed requests to the affected Lua module. Coordinate with Ruijie for timely firmware updates or patches and apply them as soon as they become available. If patches are delayed, consider temporary workarounds such as disabling the vulnerable pwdmodify functionality if feasible or applying custom input validation filters at the network perimeter. Conduct thorough audits of device configurations and access controls to minimize privilege exposure. Train security teams to recognize exploitation attempts and prepare incident response plans specific to this vulnerability.