CVE-2025-67305
📋 TL;DR
RUCKUS Network Director (RND) OVA appliances contain identical hardcoded SSH keys for the postgres user across all deployments, allowing attackers with network access to authenticate without passwords. This enables database access with superuser privileges, creation of administrative web users, and potential privilege escalation. All deployments running RND versions below 4.5.0.56 are affected.
💻 Affected Systems
- RUCKUS Network Director (RND)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including remote code execution, database manipulation, creation of persistent backdoors, and lateral movement to other systems.
Likely Case
Unauthorized database access leading to data theft, creation of administrative web users, and potential privilege escalation within the RUCKUS environment.
If Mitigated
Limited impact if SSH access is blocked at network boundaries and proper segmentation prevents lateral movement.
🎯 Exploit Status
Exploitation requires only SSH access and knowledge of the hardcoded keys; no authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.5.0.56
Restart Required: Yes
Instructions:
1. Download RND version 4.5.0.56 or later from official RUCKUS support portal. 2. Backup current configuration. 3. Apply the update through the RND web interface. 4. Restart the appliance as required.
🔧 Temporary Workarounds
Block SSH Access
linuxRestrict SSH access to the RND appliance using firewall rules to only allow connections from trusted management networks.
iptables -A INPUT -p tcp --dport 22 -s TRUSTED_IP_RANGE -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
Change SSH Keys
linuxGenerate and deploy new SSH keys for the postgres user to replace the hardcoded ones.
ssh-keygen -t rsa -b 4096 -f /path/to/new_key
cp new_key.pub ~postgres/.ssh/authorized_keys
chown -R postgres:postgres ~postgres/.ssh
chmod 600 ~postgres/.ssh/authorized_keys
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RND appliances from untrusted networks
- Monitor SSH authentication logs for unauthorized access attempts and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check if SSH key fingerprint for postgres user matches known hardcoded keys or verify RND version is below 4.5.0.56Check Version:
ssh postgres@RND_IP 'cat /opt/rnd/version.txt' or check web interfaceVerify Fix Applied:
Verify RND version is 4.5.0.56 or higher and attempt SSH authentication with known hardcoded keys should fail📡 Detection & Monitoring
Log Indicators:
- Successful SSH authentication as postgres user
- Failed SSH attempts followed by successful postgres login
- Unusual database queries or administrative user creation
Network Indicators:
- SSH connections to RND appliance from unexpected sources
- Database connection attempts from postgres user to unusual destinations
SIEM Query:
source="auth.log" AND (user="postgres" AND action="accepted") OR (process="sshd" AND dest_ip="RND_IP")🔗 References
- https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-012-ruckus-nd-hardcoded-ssh-keys-rce.md
- https://webresources.commscope.com/download/assets/RUCKUS+Network+Director%3A+Critical+Security+Bypass+Vulnerability+Leading+to+Remote+Code+Execution+and/3adeb3acb69211f08a46b6532db37357
