CVE-2025-56127 is an OS Command Injection vulnerability identified in the Ruijie RG-BCR RG-BCR600W network device. The flaw exists in the handling of POST requests to the get_wanobj function within the Lua controller script located at /usr/lib/lua/luci/controller/admin/common.lua. An attacker with low privileges (PR:L) can craft a malicious POST request that injects arbitrary operating system commands due to insufficient input validation or sanitization (CWE-78). The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high severity and potential for remote exploitation without user interaction (UI:N). Successful exploitation could allow attackers to execute commands with the privileges of the affected service, potentially leading to full system compromise, including data theft, service disruption, or lateral movement within the network. Although no public exploits are currently known, the absence of patches and the critical nature of the vulnerability necessitate proactive defensive measures. The vulnerability impacts the confidentiality, integrity, and availability of the device and any connected networks relying on it for WAN connectivity or administrative functions.

For European organizations, this vulnerability poses a significant risk, especially for those deploying Ruijie RG-BCR600W devices in critical network infrastructure. Exploitation could lead to unauthorized access, data exfiltration, network disruption, or use of compromised devices as pivot points for broader attacks. Given the device’s role in WAN management, attacks could affect connectivity and operational continuity. The high CVSS score indicates severe consequences if exploited. Organizations in sectors such as telecommunications, government, finance, and critical infrastructure are particularly vulnerable. The lack of known exploits currently provides a window for mitigation, but the potential for rapid weaponization exists. The vulnerability could also undermine trust in network security and compliance with European data protection regulations if exploited.

1. Immediately restrict network access to the affected device’s management interfaces, especially the endpoint handling get_wanobj POST requests, using firewall rules or network segmentation. 2. Implement strict authentication and authorization controls to limit access to administrative functions. 3. Monitor network traffic for unusual POST requests targeting /usr/lib/lua/luci/controller/admin/common.lua or the get_wanobj function, and set up alerts for suspicious activity. 4. Engage with Ruijie Networks for official patches or firmware updates and apply them promptly once available. 5. Conduct a thorough security audit of all Ruijie devices in the environment to identify and remediate similar vulnerabilities or misconfigurations. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect command injection attempts. 7. Educate network administrators about this vulnerability and ensure incident response plans include steps for potential exploitation scenarios. 8. Consider temporary device replacement or alternative solutions if patching is delayed and risk is unacceptable.