CVE-2025-56124 is an OS command injection vulnerability identified in Ruijie X60 PRO network devices, specifically affecting firmware versions V1.00 and V2.00. The vulnerability resides in the Lua script /usr/local/lua/dev_sta/networkConnect.lua within the module_get function, which processes POST requests insecurely. An attacker with low privileges and local access can craft a malicious POST request that injects arbitrary OS commands, leading to full compromise of the device. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that input is not properly sanitized before being passed to system-level command execution. The CVSS v3.1 base score is 7.8, reflecting high severity due to high impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction required. Although no public exploits or patches are currently available, the vulnerability poses a significant risk to affected devices. The lack of authentication requirement is mitigated by the need for local access, which could be achieved via network access if management interfaces are exposed or compromised. This vulnerability could allow attackers to execute arbitrary commands, potentially leading to device takeover, network pivoting, data exfiltration, or denial of service.

For European organizations, exploitation of CVE-2025-56124 could result in severe operational disruptions and data breaches. Ruijie X60 PRO devices are typically used in enterprise and service provider networks, so compromise could lead to unauthorized access to internal networks, interception or manipulation of sensitive data, and disruption of network services. Confidentiality is at risk due to potential data leakage; integrity is compromised as attackers can alter device configurations or network traffic; availability can be impacted by denial-of-service conditions caused by malicious commands. Critical infrastructure sectors such as telecommunications, finance, and government agencies using these devices may face heightened risks. The vulnerability's requirement for local access means that organizations with exposed management interfaces or weak internal network segmentation are particularly vulnerable. The absence of known exploits currently provides a window for proactive defense, but the high severity score underscores the urgency of mitigation.

European organizations should immediately audit their network to identify Ruijie X60 PRO devices running vulnerable firmware versions. Restrict access to device management interfaces by implementing strict network segmentation and access control lists (ACLs) to limit local access only to trusted administrators. Employ network monitoring and intrusion detection systems to detect anomalous POST requests targeting the networkConnect.lua module. Disable or restrict unnecessary services and interfaces that could provide local access to attackers. Establish a vulnerability management process to track Ruijie firmware updates and apply patches promptly once released. Consider deploying host-based application firewalls or endpoint protection on management workstations to prevent exploitation attempts. Conduct regular security training for administrators to recognize and respond to suspicious activity. If possible, implement multi-factor authentication and encrypted management channels to reduce the risk of unauthorized access. Finally, prepare incident response plans specifically addressing potential exploitation scenarios of this vulnerability.