CVE-2025-56122 is a critical OS Command Injection vulnerability discovered in the Ruijie RG-EW1800GX PRO router firmware version B11P226_EW1800GX-PRO_10223117. The flaw resides in the module_get function within the /usr/local/lua/dev_sta/networkConnect.lua script, which processes POST requests. An attacker can craft a malicious POST request that injects arbitrary operating system commands, which the device executes with elevated privileges. This allows full control over the router, including the ability to alter configurations, intercept or redirect network traffic, deploy malware, or pivot into internal networks. The vulnerability does not require prior authentication, making it exploitable remotely by any attacker who can reach the device's management interface. No CVSS score has been assigned yet, and no public exploits have been reported, but the nature of the vulnerability suggests a high risk. The Ruijie RG-EW1800GX PRO is commonly deployed in enterprise and ISP environments, making this a significant threat to network infrastructure. The lack of a patch or mitigation details at this time necessitates immediate risk management and monitoring. The vulnerability highlights the risks of insecure input validation in embedded device web interfaces, a common attack vector in network equipment.

For European organizations, exploitation of this vulnerability could lead to complete compromise of affected routers, resulting in loss of confidentiality, integrity, and availability of network communications. Attackers could intercept sensitive data, disrupt network services, or use compromised devices as footholds for further attacks within corporate or critical infrastructure networks. This could impact sectors such as telecommunications, finance, government, and manufacturing, where Ruijie equipment is deployed. The ability to execute arbitrary commands remotely without authentication increases the risk of widespread exploitation, potentially causing network outages or data breaches. Additionally, compromised routers could be used to launch attacks against other targets, amplifying the threat. The absence of a patch means organizations must rely on network segmentation and access controls to mitigate risk temporarily. The impact is particularly severe for organizations with remote management interfaces exposed to untrusted networks, including the internet.

1. Immediately restrict access to the management interface of Ruijie RG-EW1800GX PRO devices to trusted internal networks only, using firewall rules or VPNs. 2. Implement network segmentation to isolate vulnerable devices from critical systems and sensitive data. 3. Monitor network traffic for unusual POST requests targeting /usr/local/lua/dev_sta/networkConnect.lua or the module_get function, using IDS/IPS solutions with custom signatures. 4. Disable remote management interfaces if not strictly necessary. 5. Regularly audit device configurations and logs for signs of compromise or unauthorized access. 6. Engage with Ruijie support or vendors for firmware updates or patches addressing this vulnerability and apply them promptly once available. 7. Employ endpoint detection and response (EDR) tools on connected systems to detect lateral movement attempts originating from compromised routers. 8. Educate network administrators about this vulnerability and enforce strict credential management and multi-factor authentication for device access where possible. 9. Consider deploying network anomaly detection systems to identify unusual command execution patterns or traffic flows. 10. Prepare incident response plans specifically addressing router compromise scenarios.