CVE-2025-56129 is an OS command injection vulnerability identified in the Ruijie RG-BCR RG-BCR860 network device. The vulnerability exists in the action_diagnosis function within the Lua controller script located at /usr/lib/lua/luci/controller/admin/diagnosis.lua. An attacker with low privileges can send a specially crafted POST request to this endpoint, which fails to properly sanitize input parameters before passing them to system command execution functions. This allows arbitrary commands to be executed on the underlying operating system with the privileges of the running service, potentially leading to full system compromise. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Although no affected versions are specified, the vulnerability is tied to the RG-BCR860 model. No patches or official mitigations have been published yet, increasing the urgency for defensive measures. The vulnerability is categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a common and critical class of injection flaws. Given the device's role in network infrastructure, exploitation could allow attackers to disrupt network operations, exfiltrate sensitive data, or pivot deeper into organizational networks.

For European organizations, exploitation of CVE-2025-56129 could result in severe operational disruptions and data breaches. The Ruijie RG-BCR860 is typically deployed in enterprise and service provider environments, meaning compromised devices could serve as entry points for broader network intrusions. Confidentiality is at risk due to potential data exfiltration, while integrity and availability could be compromised through unauthorized command execution leading to device misconfiguration, service outages, or persistent backdoors. Critical sectors such as telecommunications, finance, and government infrastructure relying on these devices may face heightened risks. The lack of patches and the low complexity of exploitation increase the likelihood of targeted attacks or automated scanning campaigns. Additionally, compromised devices could be leveraged in distributed denial-of-service (DDoS) attacks or as part of botnets, amplifying the threat landscape for European networks.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, restrict network access to the management interface of Ruijie RG-BCR860 devices, limiting it to trusted administrative hosts via firewall rules or VPNs. Employ network segmentation to isolate these devices from general user networks and sensitive systems. Monitor network traffic for unusual POST requests targeting the action_diagnosis endpoint and implement intrusion detection/prevention systems (IDS/IPS) signatures to detect and block exploitation attempts. Enforce strict authentication and authorization policies to minimize the number of users with privileges capable of triggering the vulnerable function. Regularly audit device configurations and logs for signs of compromise. Engage with Ruijie support channels to obtain updates on patches or firmware upgrades addressing this vulnerability. Finally, consider deploying endpoint detection and response (EDR) solutions on connected systems to detect lateral movement originating from compromised devices.