CVE-2025-56118 is an operating system command injection vulnerability identified in Ruijie X60 PRO routers running firmware versions V1.00 and V2.00. The vulnerability exists in the module_set function located in the /usr/local/lua/dev_sta/nbr_cwmp.lua script. An attacker can exploit this flaw by crafting a specially designed POST request targeting this module, which allows arbitrary command execution on the underlying operating system without requiring authentication. This type of vulnerability is particularly dangerous because it enables remote attackers to execute commands with the privileges of the affected service, potentially leading to full system compromise. The vulnerability was reserved in August 2025 and published in December 2025, but no CVSS score or patches have been released yet, and no known exploits have been observed in the wild. The lack of authentication and the ability to execute arbitrary commands remotely make this a critical security concern for any organization deploying these devices. The Ruijie X60 PRO is typically used in enterprise and service provider environments, which increases the potential impact of exploitation. The absence of patches necessitates immediate defensive measures such as network segmentation, traffic monitoring, and restricting access to management interfaces until a vendor fix is available.

For European organizations, exploitation of CVE-2025-56118 could lead to severe consequences including unauthorized remote control of network devices, disruption of network services, data exfiltration, and lateral movement within corporate networks. Given that Ruijie devices are often deployed in enterprise and service provider environments, a successful attack could compromise critical infrastructure components, affecting confidentiality, integrity, and availability of network operations. This could result in downtime, loss of sensitive data, and potential regulatory non-compliance under GDPR if personal data is exposed. The ease of exploitation without authentication increases the risk of automated attacks and widespread compromise. Additionally, the lack of patches means organizations must rely on compensating controls, which may not fully mitigate the risk. The threat is particularly acute for sectors with high dependency on network availability and security, such as finance, telecommunications, and government services within Europe.

1. Immediately restrict access to the management interfaces of Ruijie X60 PRO devices to trusted internal networks only, using firewall rules or network segmentation. 2. Implement strict ingress filtering to detect and block suspicious POST requests targeting the vulnerable module_set endpoint. 3. Monitor network traffic and device logs for anomalous activity indicative of command injection attempts. 4. Disable or restrict the affected module if possible, pending vendor guidance. 5. Engage with Ruijie support to obtain information on patches or firmware updates addressing this vulnerability and plan for prompt deployment once available. 6. Employ network intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect exploitation attempts. 7. Conduct regular security assessments and penetration tests focusing on network device security. 8. Educate network administrators about this vulnerability and the importance of monitoring and restricting device access. 9. Maintain an incident response plan tailored to network device compromise scenarios to enable rapid containment and recovery.