CVE-2025-46120
📋 TL;DR
A path traversal vulnerability in Ruckus Unleashed and ZoneDirector web interfaces allows unauthenticated attackers to execute arbitrary EJS template code by uploading malicious templates via FTP. This enables privilege escalation and remote code execution on affected network controllers. Organizations using vulnerable versions of these wireless network management systems are at risk.
💻 Affected Systems
- CommScope Ruckus Unleashed
- Ruckus ZoneDirector
📦 What is this software?
Ruckus Unleashed by Ruckuswireless
Ruckus Unleashed by Ruckuswireless
Ruckus Zonedirector by Ruckuswireless
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the network controller leading to full administrative control, lateral movement within the network, and persistent backdoor installation.
Likely Case
Attacker gains administrative privileges on the controller, modifies network configurations, intercepts traffic, and potentially compromises connected devices.
If Mitigated
With proper network segmentation and access controls, impact is limited to the controller system itself without lateral movement.
🎯 Exploit Status
Exploit chain requires FTP access for template upload followed by web interface path traversal. Public technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Ruckus Unleashed 200.15.6.212.27 or 200.18.7.1.323; ZoneDirector 10.5.1.0.282
Vendor Advisory: https://support.ruckuswireless.com/security_bulletins/330
Restart Required: Yes
Instructions:
1. Download latest firmware from Ruckus support portal. 2. Backup current configuration. 3. Upload firmware via web interface. 4. Apply update. 5. Reboot controller. 6. Verify version after reboot.
🔧 Temporary Workarounds
Disable FTP Service
allPrevents template upload via FTP, breaking the exploit chain
Check Ruckus documentation for FTP disable procedure
Network Segmentation
allRestrict access to controller management interfaces
Configure firewall rules to limit access to trusted IPs only
🧯 If You Can't Patch
- Isolate controller management interfaces behind firewall with strict access controls
- Disable FTP service and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under System > About or via CLI 'show version'Check Version:
show versionVerify Fix Applied:
Confirm version is equal to or higher than patched versions listed in fix_official section📡 Detection & Monitoring
Log Indicators:
- Unusual FTP uploads of .ejs files
- Web interface requests with path traversal patterns
- Unauthorized configuration changes
Network Indicators:
- Unexpected FTP connections to controller
- Suspicious web requests with '../' patterns
SIEM Query:
source="ruckus_controller" AND (uri="*../*" OR filename="*.ejs")