CVE-2025-56118 is an OS command injection vulnerability identified in Ruijie X60 PRO routers, specifically in firmware versions V1.00 and V2.00. The vulnerability resides in the Lua script file /usr/local/lua/dev_sta/nbr_cwmp.lua, within the module_set functionality. An attacker with low privileges (PR:L) can exploit this flaw by sending a crafted POST request to the vulnerable endpoint, which fails to properly sanitize input before passing it to system-level commands. This improper input validation (classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command) allows arbitrary command execution on the underlying operating system. The vulnerability has a CVSS 3.1 base score of 8.8, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are currently known, the vulnerability's characteristics suggest it could be weaponized quickly. The affected devices are typically used in enterprise and service provider networks, making this a significant threat to network infrastructure security. The lack of available patches at the time of publication increases the urgency for organizations to implement compensating controls.

For European organizations, exploitation of CVE-2025-56118 could lead to complete compromise of affected Ruijie X60 PRO devices, resulting in unauthorized access to sensitive network traffic, disruption of network services, and potential lateral movement within corporate networks. This could affect confidentiality by exposing internal communications, integrity by allowing attackers to alter device configurations or data, and availability by causing denial of service or device instability. Critical infrastructure operators, telecommunications providers, and enterprises relying on Ruijie equipment for network connectivity are particularly at risk. The vulnerability's ease of exploitation over the network without user interaction increases the likelihood of targeted attacks or automated scanning campaigns. Given the strategic importance of network infrastructure in Europe, successful exploitation could have cascading effects on business continuity and national security.

1. Immediately restrict network access to the management interfaces of Ruijie X60 PRO devices, allowing only trusted IP addresses and administrative users. 2. Implement strict firewall rules to block unauthorized POST requests targeting the /usr/local/lua/dev_sta/nbr_cwmp.lua module_set endpoint. 3. Monitor network traffic for anomalous POST requests or unusual command execution patterns indicative of exploitation attempts. 4. Employ network segmentation to isolate vulnerable devices from critical systems and sensitive data repositories. 5. Regularly audit device configurations and logs for signs of compromise or unauthorized changes. 6. Engage with Ruijie support channels to obtain firmware updates or patches as soon as they become available. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures tailored to detect exploitation attempts of this vulnerability. 8. Educate network administrators about the vulnerability and enforce the principle of least privilege for device management accounts.