CVE-2025-65363 is a critical authenticated command injection vulnerability found in Ruijie Access Points running AP_RGOS version 11.1.x. The flaw exists in the web management interface, specifically the web_action.do endpoint, which accepts a 'command' parameter vulnerable to append-style injection. An attacker with valid web authentication credentials can append arbitrary shell commands to this parameter, which are executed with root privileges on the device. This capability enables attackers to perform unauthorized file disclosure, disrupt device functionality, and potentially use the compromised AP as a pivot point to launch further attacks within the internal network. The vulnerability arises due to insufficient input sanitization and improper command execution handling in the web interface. While no public exploits have been reported yet, the root-level command execution and network pivot potential make this a high-risk vulnerability. The lack of a CVSS score indicates it is newly disclosed, but the technical details and impact suggest critical severity. Ruijie APs are commonly deployed in enterprise and service provider environments, making this vulnerability particularly concerning for organizations relying on these devices for wireless network access and management.

For European organizations, exploitation of CVE-2025-65363 could lead to severe consequences including unauthorized access to sensitive internal files, disruption of wireless network services, and the establishment of footholds for lateral movement within corporate or service provider networks. This could result in data breaches, operational downtime, and compromise of critical infrastructure. Given the root-level access, attackers could manipulate network traffic, intercept communications, or disable security controls embedded in the APs. The ability to pivot from a compromised AP to other internal systems increases the risk of widespread network compromise. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure are particularly vulnerable due to their reliance on secure and stable wireless networks. The absence of known exploits currently provides a window for proactive mitigation, but the threat landscape could rapidly evolve once exploit code becomes available.

1. Immediately restrict access to the web management interface of Ruijie APs to trusted administrative networks using network segmentation and firewall rules. 2. Enforce strong authentication mechanisms and consider multi-factor authentication for web interface access to reduce the risk of credential compromise. 3. Monitor web server logs for suspicious or anomalous requests targeting the web_action.do endpoint, especially those containing unusual command parameters. 4. Apply any vendor-provided patches or firmware updates as soon as they become available to remediate the vulnerability. 5. If patches are not yet available, consider disabling the vulnerable web interface or limiting its functionality temporarily. 6. Conduct internal network scans to identify all Ruijie APs running AP_RGOS 11.1.x and prioritize their remediation. 7. Implement network intrusion detection systems (NIDS) with signatures or heuristics to detect command injection attempts targeting this endpoint. 8. Educate administrators about the risks of authenticated command injection and the importance of safeguarding management credentials.