CVE-2025-46119
📋 TL;DR
This vulnerability allows authenticated users to retrieve administrator passwords in a trivially reversible obfuscated form from the management endpoint. It affects CommScope Ruckus Unleashed and ZoneDirector network management systems. Attackers with authenticated access can escalate privileges to full administrative control.
💻 Affected Systems
- CommScope Ruckus Unleashed
- CommScope Ruckus ZoneDirector
📦 What is this software?
Ruckus Unleashed by Ruckuswireless
Ruckus Unleashed by Ruckuswireless
Ruckus Zonedirector by Ruckuswireless
⚠️ Risk & Real-World Impact
Worst Case
Full network compromise: attackers gain administrative credentials, reconfigure network settings, intercept traffic, deploy malware, or disable security controls across managed devices.
Likely Case
Privilege escalation from authenticated user to administrator, allowing unauthorized configuration changes, user account manipulation, and potential lateral movement.
If Mitigated
Limited to authenticated users only; proper access controls and network segmentation prevent unauthorized access to management interfaces.
🎯 Exploit Status
Exploitation requires authenticated access to the management interface; the obfuscation reversal is trivial as documented in public research.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Ruckus Unleashed 200.15.6.212.27, 200.18.7.1.323 or later; Ruckus ZoneDirector 10.5.1.0.282 or later
Vendor Advisory: https://support.ruckuswireless.com/security_bulletins/330
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download appropriate firmware from Ruckus support portal. 3. Upload firmware to device via web interface. 4. Apply update and restart device. 5. Verify version after reboot.
🔧 Temporary Workarounds
Restrict access to management interface
allLimit network access to management endpoints to trusted IP addresses only
Configure firewall rules to restrict access to management IP/ports
Implement strong authentication controls
allEnforce multi-factor authentication and strong password policies for all user accounts
Configure MFA via RADIUS or other authentication servers
🧯 If You Can't Patch
- Isolate management interfaces on separate VLAN with strict access controls
- Implement network monitoring for unauthorized access to /admin/_cmdstat.jsp endpoint
🔍 How to Verify
Check if Vulnerable:
Check current firmware version via web interface: System > About, or via SSH: show versionCheck Version:
show version (via SSH) or check System > About in web interfaceVerify Fix Applied:
Confirm firmware version is equal to or greater than patched versions listed in vendor advisory📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /admin/_cmdstat.jsp from unauthorized users
- Multiple failed authentication attempts followed by successful access
Network Indicators:
- Unusual traffic patterns to management interface
- Requests to sensitive administrative endpoints
SIEM Query:
source="ruckus" AND (url="/admin/_cmdstat.jsp" OR event="authentication_success" FROM user NOT IN admin_users)