CVE-2025-44963 – CVE-2025-44963 allows attackers to forge admini... (How to Fix)

Q: What is the severity of CVE-2025-44963?

CVE-2025-44963 has a CVSS score of 9.0 (CRITICAL). CVE-2025-44963 allows attackers to forge administrator JSON Web Tokens (JWTs) in RUCKUS Network Director (RND) by exploiting a hardcoded secret key. This enables authentication bypass and administrative privilege escalation. Organizations running RND versions before 4.5 are affected.

📋 TL;DR

CVE-2025-44963 allows attackers to forge administrator JSON Web Tokens (JWTs) in RUCKUS Network Director (RND) by exploiting a hardcoded secret key. This enables authentication bypass and administrative privilege escalation. Organizations running RND versions before 4.5 are affected.

💻 Affected Systems

Products:

RUCKUS Network Director (RND)

Versions: All versions before 4.5

Operating Systems: Not OS-specific - affects RND appliance/software

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected RND versions are vulnerable regardless of configuration.

📦 What is this software?

Ruckus Network Director by Commscope

View all CVEs affecting Ruckus Network Director →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the RUCKUS Network Director with administrative access, allowing attackers to reconfigure network infrastructure, deploy malicious firmware, intercept traffic, and pivot to other network segments.

🟠

Likely Case

Unauthorized administrative access to RND leading to network configuration changes, user account manipulation, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if network segmentation isolates RND management interfaces and strong access controls are in place, though authentication bypass remains possible.

🌐 Internet-Facing: HIGH - If RND management interface is exposed to the internet, attackers can remotely exploit this without authentication.

🏢 Internal Only: HIGH - Even internally, any attacker with network access to RND can exploit this vulnerability to gain administrative privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of the hardcoded secret key, which may be obtained through reverse engineering or information disclosure. No authentication is required to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RND 4.5 and later

Vendor Advisory: https://webresources.commscope.com/download/assets/FAQ+Security+Advisory%3A+ID+20250710/225f44ac3bd311f095821adcaa92e24e

Restart Required: Yes

Instructions:

1. Download RND version 4.5 or later from RUCKUS support portal. 2. Backup current configuration. 3. Apply the update through the RND web interface or CLI. 4. Restart the RND appliance/service. 5. Verify successful upgrade and functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate RND management interface to trusted administrative networks only

Access Control Lists

all

Implement strict firewall rules limiting access to RND management ports (typically 443/TCP)

🧯 If You Can't Patch

Immediately restrict network access to RND management interface using firewall rules
Implement multi-factor authentication for administrative access if supported
Monitor RND logs for unauthorized access attempts and JWT-related anomalies

🔍 How to Verify

Check if Vulnerable:

Check RND version via web interface (Admin > System > About) or CLI command 'show version'. If version is below 4.5, system is vulnerable.

Check Version:

show version (CLI) or check Admin > System > About in web interface

Verify Fix Applied:

Verify RND version is 4.5 or higher. Test administrative JWT functionality by logging out and back in to ensure proper authentication.

📡 Detection & Monitoring

Log Indicators:

Failed login attempts followed by successful admin access
JWT token generation/validation errors
Unusual administrative actions from unexpected IP addresses

Network Indicators:

HTTP/HTTPS requests to RND management interface with forged JWT tokens
Authentication bypass patterns in web traffic

SIEM Query:

source="rnd-logs" AND (event_type="auth_failure" OR event_type="admin_action") | stats count by src_ip, user | where count > threshold

📊 Metadata

CVE ID: CVE-2025-44963

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-321

EPSS Score: 0.07% exploit probability (21.6th percentile)

Published: August 4, 2025

Last Updated: November 3, 2025

🔗 References

https://claroty.com/team82/disclosure-dashboard/cve-2025-44963 Third Party Advisory
https://kb.cert.org/vuls/id/613753 Third Party Advisory
https://webresources.commscope.com/download/assets/FAQ+Security+Advisory%3A+ID+20250710/225f44ac3bd311f095821adcaa92e24e Vendor Advisory
https://www.kb.cert.org/vuls/id/613753

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44963, you might also want to check these: