CVE-2025-56117 is an OS Command Injection vulnerability identified in the Ruijie X30-PRO router firmware version X30-PRO-V1_09241521. The flaw exists in the module_set function located in the Lua script /usr/local/lua/dev_sta/nbr_cwmp.lua, which processes POST requests. An attacker with low privileges (PR:L) can craft a malicious POST request to this endpoint, injecting arbitrary operating system commands that the device executes. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N). The CVSS v3.1 base score is 8.8, indicating high severity with impacts rated as high on confidentiality, integrity, and availability. Successful exploitation could lead to full device compromise, allowing attackers to manipulate network traffic, exfiltrate sensitive data, or disrupt services. No patches or official fixes have been published yet, and no active exploits are currently known. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a common and dangerous injection flaw. Given the critical role of routers in network infrastructure, this vulnerability poses a significant risk to organizations relying on Ruijie X30-PRO devices.

For European organizations, this vulnerability threatens the security and stability of network infrastructure where Ruijie X30-PRO routers are deployed. Exploitation could lead to unauthorized command execution, enabling attackers to intercept or redirect network traffic, deploy malware, or cause denial of service. This compromises confidentiality by exposing sensitive communications, integrity by allowing manipulation of network configurations or data, and availability by potentially disabling network access. Critical sectors such as telecommunications, government, finance, and industrial control systems could face operational disruptions and data breaches. The lack of available patches increases the risk window, necessitating immediate defensive measures. The vulnerability's remote exploitability and absence of user interaction requirements make it particularly dangerous in environments with exposed management interfaces or insufficient network segmentation.

1. Immediately restrict access to the management interfaces of Ruijie X30-PRO devices to trusted internal networks only, using firewall rules and access control lists. 2. Implement network segmentation to isolate critical infrastructure and limit lateral movement in case of compromise. 3. Monitor network traffic for unusual POST requests targeting the /usr/local/lua/dev_sta/nbr_cwmp.lua module_set endpoint, employing intrusion detection/prevention systems with custom signatures. 4. Disable or restrict unnecessary services and interfaces on the affected devices to reduce the attack surface. 5. Regularly audit device configurations and logs for signs of exploitation attempts. 6. Engage with Ruijie Networks for timely updates and patches; apply firmware updates as soon as they become available. 7. Consider deploying compensating controls such as Web Application Firewalls (WAFs) or reverse proxies to filter malicious payloads targeting the vulnerable endpoint. 8. Educate network administrators about the vulnerability and ensure strict credential management to prevent privilege escalation.