CVE-2025-56120 is an OS Command Injection vulnerability identified in Ruijie X60 PRO network devices, specifically in firmware versions V1.00 and V2.00. The vulnerability resides in the Lua script located at /usr/local/lua/dev_config/config_retain.lua, within the module_set functionality. An attacker with low privileges can send a specially crafted POST request to this module_set endpoint, which fails to properly sanitize input, allowing arbitrary OS commands to be executed on the underlying system. This type of injection (CWE-78) can lead to full system compromise, including unauthorized access, data exfiltration, and disruption of network services. The CVSS v3.1 base score of 8.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, combined with its network attack vector, low attack complexity, and no requirement for user interaction. Although no public exploits are reported yet, the vulnerability's characteristics make it a prime target for attackers once exploit code becomes available. The lack of available patches at the time of disclosure increases the urgency for affected organizations to implement interim mitigations. This vulnerability is particularly concerning for environments where Ruijie X60 PRO devices serve as critical network infrastructure components, as exploitation could lead to widespread network disruption or compromise.

For European organizations, exploitation of CVE-2025-56120 could result in severe operational disruptions, data breaches, and loss of control over network infrastructure. Given the Ruijie X60 PRO's role as a network device, attackers could leverage this vulnerability to pivot within internal networks, exfiltrate sensitive data, or launch further attacks against connected systems. Critical sectors such as telecommunications, finance, healthcare, and government agencies that deploy these devices may face heightened risks, including service outages and regulatory compliance violations under GDPR due to potential data exposure. The vulnerability's ability to compromise device integrity and availability could also impact business continuity and damage organizational reputation. Since the attack requires only low privileges and no user interaction, the threat surface is broad, increasing the likelihood of successful exploitation if devices are exposed to untrusted networks or insufficiently protected management interfaces.

1. Immediately restrict network access to the management interfaces of Ruijie X60 PRO devices, ensuring only trusted administrators can reach the module_set endpoint. 2. Implement network segmentation to isolate vulnerable devices from critical infrastructure and limit lateral movement in case of compromise. 3. Monitor network traffic for anomalous POST requests targeting /usr/local/lua/dev_config/config_retain.lua or the module_set functionality, using intrusion detection/prevention systems with custom signatures. 4. Apply strict input validation and filtering at network perimeters to block suspicious payloads attempting command injection. 5. Engage with Ruijie support to obtain firmware updates or patches as soon as they become available and plan for prompt deployment. 6. Conduct regular vulnerability assessments and penetration testing focused on network devices to identify and remediate similar issues proactively. 7. Maintain comprehensive logging and alerting on device management activities to detect potential exploitation attempts early. 8. Educate network administrators about the risks and signs of exploitation related to this vulnerability to enhance incident response readiness.