CVE-2025-56120 is a critical OS Command Injection vulnerability identified in Ruijie X60 PRO networking devices, specifically in firmware versions V1.00 and V2.00. The vulnerability resides in the handling of POST requests to the module_set function within the Lua script located at /usr/local/lua/dev_config/config_retain.lua. An attacker can exploit this flaw by crafting a malicious POST request that injects arbitrary operating system commands, which the device executes with the privileges of the affected service. This type of vulnerability typically arises from improper input validation or sanitization, allowing shell metacharacters or command sequences to be passed directly to the system shell. Since the vulnerability does not require authentication, it can be exploited remotely by unauthenticated attackers, increasing the attack surface significantly. The lack of a published patch or mitigation guidance at the time of disclosure further elevates the risk. While no active exploitation has been reported, the potential impact includes full device compromise, enabling attackers to disrupt network operations, intercept or manipulate traffic, or pivot to other internal systems. The Ruijie X60 PRO is used in various enterprise and service provider environments, making this vulnerability particularly concerning for organizations relying on these devices for critical network infrastructure.

For European organizations, exploitation of CVE-2025-56120 could lead to severe consequences including unauthorized control over network devices, disruption of network services, and potential data breaches. Compromised devices could be used to intercept sensitive communications, launch further attacks within the network, or cause denial of service conditions. Given the role of Ruijie X60 PRO devices in enterprise and ISP networks, the impact extends to operational continuity and data integrity. Organizations in sectors such as telecommunications, finance, government, and critical infrastructure are especially vulnerable due to their reliance on robust and secure network equipment. The absence of authentication requirements for exploitation means that attackers can target exposed management interfaces directly, increasing the likelihood of successful attacks if devices are accessible from untrusted networks. Additionally, the lack of a current patch or workaround increases exposure time, necessitating immediate compensating controls.

To mitigate CVE-2025-56120, European organizations should take the following specific actions: 1) Immediately restrict access to the management interfaces of Ruijie X60 PRO devices by implementing strict firewall rules and network segmentation to limit exposure to trusted administrative networks only. 2) Monitor network traffic for unusual POST requests targeting the /usr/local/lua/dev_config/config_retain.lua module_set endpoint, using intrusion detection or prevention systems with custom signatures. 3) Disable or restrict remote management capabilities if not strictly necessary, especially from external networks. 4) Engage with Ruijie Networks support channels to obtain any available patches, firmware updates, or official mitigation guidance as soon as they are released. 5) Conduct thorough audits of device configurations and logs to detect any signs of compromise or attempted exploitation. 6) Implement network anomaly detection to identify unexpected command execution patterns or system behavior indicative of exploitation attempts. 7) Prepare incident response plans specific to network device compromise scenarios to ensure rapid containment and recovery.