CVE-2025-56114 is an OS Command Injection vulnerability identified in Ruijie M18 network devices running firmware version EW_3.0(1)B11P226_M18_10223116. The vulnerability exists in the module_set functionality implemented in the Lua script located at /usr/local/lua/dev_config/config_retain.lua. An attacker with low privileges can send a specially crafted POST request to this endpoint, which fails to properly sanitize input before passing it to system-level command execution functions. This allows arbitrary command execution on the underlying operating system, potentially leading to full device compromise. The CVSS v3.1 base score is 8.8, reflecting a high severity due to network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits or patches are currently available, the vulnerability represents a significant risk given the critical role of network devices in organizational infrastructure. The CWE-78 classification confirms this is a classic OS command injection flaw caused by improper input validation. The vulnerability was reserved in August 2025 and published in December 2025, indicating recent discovery.

For European organizations, exploitation of CVE-2025-56114 could lead to complete compromise of affected Ruijie M18 network devices. This includes unauthorized access to sensitive network traffic, manipulation or disruption of network services, and potential pivoting to internal systems. The high impact on confidentiality, integrity, and availability means attackers could exfiltrate data, modify configurations, or cause denial of service. Critical sectors such as telecommunications, finance, government, and energy that rely on Ruijie equipment for network infrastructure are particularly at risk. The requirement for low privileges means insider threats or compromised credentials could enable exploitation. The absence of patches increases the window of exposure, making proactive mitigation essential. Disruption to network infrastructure could have cascading effects on business operations and national critical infrastructure within Europe.

1. Immediately conduct an inventory to identify all Ruijie M18 devices running the vulnerable firmware version. 2. Restrict network access to management interfaces of these devices using segmentation, firewalls, and VPNs to limit exposure to trusted administrators only. 3. Implement strict access controls and monitor for unusual POST requests targeting the module_set endpoint. 4. Employ intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect exploitation attempts of this command injection vulnerability. 5. Enforce strong authentication mechanisms and rotate credentials regularly to reduce risk from compromised accounts. 6. Engage with Ruijie support channels to obtain patches or firmware updates as soon as they become available. 7. Consider temporary compensating controls such as disabling vulnerable features or applying configuration changes to sanitize inputs if possible. 8. Conduct regular security audits and penetration tests focusing on network device security. 9. Maintain up-to-date backups of device configurations to enable rapid recovery if compromise occurs.