CVE-2025-56117 is a critical OS Command Injection vulnerability identified in the Ruijie X30-PRO router firmware version X30-PRO-V1_09241521. The vulnerability resides in the Lua script module located at /usr/local/lua/dev_sta/nbr_cwmp.lua, specifically in the module_set function that processes POST requests. An attacker can craft a malicious POST request to this endpoint to inject and execute arbitrary operating system commands with the privileges of the web server process. This type of vulnerability allows attackers to gain unauthorized control over the device, potentially leading to full compromise, including data exfiltration, network manipulation, or pivoting to internal networks. The vulnerability does not currently have a CVSS score or publicly available patches, and no known exploits have been reported in the wild. However, the nature of OS command injection vulnerabilities typically implies a high risk due to the ease of exploitation and the potential impact on device integrity and availability. The affected device, Ruijie X30-PRO, is commonly deployed in enterprise and service provider networks, making this vulnerability particularly concerning for organizations relying on this hardware for critical network functions.

For European organizations, exploitation of this vulnerability could lead to severe consequences including unauthorized remote code execution on network routers, resulting in loss of confidentiality, integrity, and availability of network infrastructure. Attackers could intercept or manipulate network traffic, disrupt services, or use compromised devices as footholds for further attacks within the corporate network. Given the role of routers in managing and securing network traffic, a successful attack could impact critical business operations, especially in sectors such as telecommunications, finance, and government. The lack of patches and known exploits increases the risk of zero-day exploitation. Additionally, the potential for lateral movement within networks could amplify the damage. Organizations with Ruijie X30-PRO devices in their network perimeter or internal segments are at heightened risk, particularly if these devices are exposed to untrusted networks or lack proper access controls.

1. Immediately restrict access to the management interfaces of Ruijie X30-PRO devices to trusted internal networks only, using firewall rules and network segmentation. 2. Monitor network traffic for unusual POST requests targeting the /usr/local/lua/dev_sta/nbr_cwmp.lua module_set endpoint, employing intrusion detection/prevention systems with custom signatures if necessary. 3. Disable or limit remote management features if not required, especially those accessible from external networks. 4. Implement strict input validation and filtering at network boundaries to detect and block malicious payloads attempting command injection. 5. Engage with Ruijie support or vendors to obtain patches or firmware updates as soon as they become available. 6. Conduct regular security audits and vulnerability scans focusing on network devices to identify and remediate similar issues proactively. 7. Employ network anomaly detection tools to identify unusual device behavior indicative of compromise. 8. Maintain up-to-date backups and incident response plans tailored to network device compromise scenarios.