CVE-2025-46116
📋 TL;DR
This vulnerability allows authenticated attackers to bypass CLI restrictions and gain root shell access on Ruckus wireless controllers. Attackers can disable passphrase requirements for a hidden command and execute it to escape the restricted shell. Affected systems include CommScope Ruckus Unleashed and ZoneDirector controllers.
💻 Affected Systems
- CommScope Ruckus Unleashed
- Ruckus ZoneDirector
📦 What is this software?
Ruckus Unleashed by Ruckuswireless
Ruckus Unleashed by Ruckuswireless
Ruckus Zonedirector by Ruckuswireless
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root access, allowing attackers to install persistent backdoors, steal credentials, pivot to other network segments, and disrupt wireless services.
Likely Case
Privilege escalation from authenticated user to root, enabling configuration changes, credential harvesting, and lateral movement within the network.
If Mitigated
Limited to authenticated users only, with proper network segmentation preventing lateral movement and monitoring detecting unusual CLI activity.
🎯 Exploit Status
Exploit requires authenticated access first. The vulnerability is documented with technical details in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Ruckus Unleashed 200.15.6.212.14, 200.17.7.0.139 or later; ZoneDirector 10.5.1.0.279 or later
Vendor Advisory: https://support.ruckuswireless.com/security_bulletins/330
Restart Required: Yes
Instructions:
1. Download the latest firmware from Ruckus support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot the controller. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Management Access
allLimit access to the management interface to trusted IP addresses only using firewall rules.
Monitor CLI Activity
allImplement logging and alerting for any CLI command execution, particularly unusual or hidden commands.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate wireless controllers from critical network segments.
- Enforce strong authentication policies and monitor for unusual authenticated user activity.
🔍 How to Verify
Check if Vulnerable:
Check the firmware version via web interface (System > About) or CLI (show version). Compare against affected versions.Check Version:
show versionVerify Fix Applied:
After patching, verify the firmware version shows patched version. Test that the !v54! command is no longer accessible or requires proper authentication.📡 Detection & Monitoring
Log Indicators:
- CLI command execution logs containing '!v54!'
- Authentication logs showing privilege escalation
- System logs showing shell access or root login
Network Indicators:
- Unusual outbound connections from controller
- SSH or telnet sessions originating from controller to unexpected destinations
SIEM Query:
source="ruckus-controller" AND (command="!v54!" OR event="privilege escalation" OR user="root")