CVE-2025-56122 is an OS Command Injection vulnerability identified in the Ruijie RG-EW1800GX PRO router firmware version B11P226_EW1800GX-PRO_10223117. The flaw exists in the module_get function within the Lua script located at /usr/local/lua/dev_sta/networkConnect.lua. An attacker with low privileges can exploit this vulnerability by crafting a malicious POST request to this endpoint, which improperly sanitizes input, allowing arbitrary command execution on the underlying operating system. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that user-supplied input is not correctly validated before being passed to system commands. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Exploitation could allow attackers to take full control of the device, manipulate network traffic, disrupt services, or pivot to internal networks. No patches or official fixes have been published yet, and no public exploits are known, but the vulnerability’s characteristics suggest it could be weaponized rapidly once disclosed.

For European organizations, this vulnerability poses a critical risk to network security and operational continuity. Compromise of the Ruijie RG-EW1800GX PRO routers could lead to unauthorized access to sensitive internal networks, interception or manipulation of data, and disruption of network services. Given the device’s role as a network gateway, attackers could establish persistent footholds, launch lateral movement, or exfiltrate confidential information. Critical infrastructure sectors such as finance, healthcare, and government agencies using these routers may face severe operational and reputational damage. The high severity and ease of exploitation increase the urgency for mitigation, especially in environments with limited network segmentation or where these devices are exposed to untrusted networks.

Immediate mitigation steps include restricting network access to the management interface of the affected routers, ideally limiting it to trusted internal IP addresses only. Implement strict firewall rules to block unauthorized POST requests targeting the vulnerable endpoint. Network segmentation should be enforced to isolate these devices from critical systems. Monitor network traffic for unusual POST requests or command execution patterns related to /usr/local/lua/dev_sta/networkConnect.lua. Since no official patches are available, consider deploying intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect exploitation attempts. Engage with Ruijie support for firmware updates or advisories and plan for prompt patch deployment once available. Additionally, conduct regular audits of device configurations and logs to detect potential compromise early.