CVE-2025-56113 is an OS command injection vulnerability identified in Ruijie RG-YST EST devices running the YSTAP_3.0(1)B11P280YST250F firmware versions V1.xx and V2.xx. The vulnerability resides in the pwdmodify function located in the Lua script file /usr/lib/lua/luci/modules/common.lua. An attacker can exploit this flaw by sending a crafted POST request to this function, which fails to properly sanitize input parameters before passing them to system-level commands. This lack of input validation enables arbitrary command execution on the underlying operating system with the privileges of the affected service, potentially root or administrative level. The vulnerability does not require authentication, increasing the attack surface, especially if the device’s management interface is exposed to untrusted networks or the internet. While no public exploits or patches are currently documented, the vulnerability’s presence in network infrastructure devices like routers or switches poses a significant risk. Attackers could leverage this to gain persistent access, disrupt network operations, or pivot to internal networks. The absence of a CVSS score suggests the need for an expert severity assessment, which, given the impact and ease of exploitation, is critical. The vulnerability was reserved in August 2025 and published in December 2025, indicating recent discovery and disclosure.

For European organizations, the impact of CVE-2025-56113 could be severe. Ruijie devices are commonly used in telecommunications, enterprise networking, and critical infrastructure sectors. Successful exploitation could lead to unauthorized command execution, resulting in data breaches, network downtime, or complete device takeover. This could disrupt business operations, compromise sensitive data, and damage organizational reputation. Given the lack of authentication required, attackers could exploit exposed management interfaces remotely, increasing the risk of widespread attacks. Critical sectors such as finance, healthcare, and government agencies relying on Ruijie equipment may face heightened risks. Additionally, attackers could use compromised devices as footholds for lateral movement within corporate networks or for launching further attacks such as ransomware or espionage. The potential for service disruption also poses risks to national infrastructure and public services in Europe.

1. Immediately restrict access to the management interfaces of Ruijie RG-YST EST devices to trusted internal networks only, using firewall rules and network segmentation. 2. Implement strict input validation and monitoring on network traffic to detect and block suspicious POST requests targeting the pwdmodify function or similar endpoints. 3. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of identifying command injection attempts. 4. Monitor device logs for unusual command execution patterns or unauthorized access attempts. 5. Coordinate with Ruijie Networks for official patches or firmware updates addressing this vulnerability and apply them promptly once available. 6. If patches are not yet available, consider temporary mitigations such as disabling vulnerable services or applying custom access control lists to limit exposure. 7. Conduct regular security audits and penetration testing focused on network infrastructure devices to identify and remediate similar vulnerabilities. 8. Educate network administrators about the risks and signs of exploitation related to this vulnerability to improve incident response readiness.