Ruckus network management solutions riddled with unpatched vulnerabilities
Claroty researcher Noam Moshe has discovered serious vulnerabilities in two Ruckus Networks (formerly Ruckus Wireless) products that may allow attackers to compromise the environments managed by the affected software, Carnegie Mellon University’s CERT Coordination Center (CERT/CC) has warned.
The vulnerabilities have yet to be patched and it’s unknown when (or whether) they will be.
The vulnerabilities
Ruckus Networks is a subsidiary of American network infrastructure provider CommScope. It sells a variety of wired and wireless networking equipment and software.
Its networking devices, CERT/CC says, are usually found at “venues where many end points will be connected to the internet, such as schools, hospitals, multi-tenant residences, and smart cities that provide public Wi-Fi.”
The solutions affected by these vulnerabilities are Ruckus Virtual SmartZone (vSZ), a wireless network control software used to virtually manage large-scale networks of access point and clients, and Ruckus Network Director (RND), software for managing multiple vSZ clusters.
The Ruckus vSZ application has:
- Multiple hardcoded secrets, which could be used by attackers to bypass authentication and achieve administrator-level access (CVE-2025-44957)
- An authenticated arbitrary file read flaw that may allow attackers to read sensitive files (CVE-2025-44962)
- A built-in user with root privileges and default public and private RSA keys in the software’s /home/$USER/.ssh/ directory (CVE-2025-44954)
- Two OS command injection vulnerabilities that may allow attackers to remotely execute code (CVE-2025-44960, CVE-2025-44961)
The Ruckus RND software:
- Uses a cryptographic key hardcoded into the web server to ensure the validity of session JSON web tokens, and it can be misused to bypass authentication and access the server with administrator privileges (CVE-2025-44963)
- Uses a weak, hardcoded password for a jailed configuration environment, which can be misused to access an RND server with root permissions (CVE-2025-44955)
- Has a built-in user (sshuser) with root privileges, and the public and private SSH keys can be found in the in the sshuser home directory. These keys can be used to access an RND server as sshuser (CVE-2025-6243)
- Encrypts passwords with a hardcoded weak secret key and returns them in plaintext (CVE-2025-44958)
No patches available. What to do?
“[The] impact of these vulnerabilities vary from information leakage to total compromise of the wireless environment managed by the affected products,” CERT/CC pointed out.
“As an example, an attacker with network access to Ruckus Wireless vSZ can exploit CVE-2025-44954 to gain full administrator access that will lead to total compromise of the vSZ wireless management environment.”
Some of the vulnerabilities could be chained to bypass security controls that prevent only specific attacks, they added.
Claroty and CERT/CC have not been able to reach Ruckus or CommScope and thus don’t know when the vulnerabilities will be patched. (HelpNetSecurity has, likewise, been unable to get a response from CommScope.)
Some Reddit users have also commented the disclosure of these vulnerability by sharing the problems they have personally had with reporting vulnerabilities to Ruckus/CommScope either via Bugcrowd or directly.
Until fixes are released, CERT/CC recommends using the affected products only within isolated management networks, and only allow trusted users and their authenticated clients to access the products’ management interface via HTTPS or SSH.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link