CVE-2025-46122
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary commands as root on Ruckus Unleashed wireless controllers by exploiting insufficient input validation in the diagnostics API. Attackers can achieve remote code execution by passing malicious input to the `/admin/_cmdstat.jsp` endpoint. Organizations using affected versions of Ruckus Unleashed are at risk.
💻 Affected Systems
- CommScope Ruckus Unleashed
📦 What is this software?
Ruckus Unleashed by Ruckuswireless
Ruckus Unleashed by Ruckuswireless
Ruckus Zonedirector by Ruckuswireless
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root access, allowing attackers to install persistent backdoors, exfiltrate sensitive data, pivot to other network segments, or disrupt wireless services.
Likely Case
Attackers gain root shell access to the controller, enabling them to modify configurations, intercept network traffic, or use the device as a foothold for lateral movement.
If Mitigated
With proper network segmentation and access controls, impact is limited to the wireless controller itself, though it could still serve as an entry point.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is well-documented with public technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 200.15.6.212.14 or 200.17.7.0.139 and later
Vendor Advisory: https://support.ruckuswireless.com/security_bulletins/330
Restart Required: Yes
Instructions:
1. Download the latest firmware from Ruckus support portal. 2. Backup current configuration. 3. Upload and install the firmware update via the web interface. 4. Reboot the controller after installation completes.
🔧 Temporary Workarounds
Restrict Management Access
allLimit access to the Ruckus Unleashed management interface to trusted IP addresses only.
Disable Unused Diagnostic Features
allIf the diagnostics API endpoint is not required, consider disabling it through configuration.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Ruckus controllers from critical systems
- Enforce strong authentication policies and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check the firmware version in the web interface under System > About. If version is below 200.15.6.212.14 or 200.17.7.0.139, the system is vulnerable.Check Version:
No CLI command available; check via web interface at System > AboutVerify Fix Applied:
After patching, verify the firmware version shows 200.15.6.212.14, 200.17.7.0.139, or higher in the System > About page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /admin/_cmdstat.jsp
- Multiple failed authentication attempts followed by successful login
- Commands in logs that don't match normal diagnostic operations
Network Indicators:
- Unusual outbound connections from the Ruckus controller
- Traffic to unexpected ports or IP addresses from the controller
SIEM Query:
source="ruckus-controller" AND (url="/admin/_cmdstat.jsp" OR cmd="*" OR process="sh")