{"uuid": "e6381844-1d85-477e-83f0-f85545c99c27", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Ruckus network management solutions riddled with unpatched vulnerabilities - Help Net Security", "description": "# Ruckus network management solutions riddled with unpatched vulnerabilities - Help Net Security\nClaroty researcher Noam Moshe has discovered serious vulnerabilities in two Ruckus Networks (formerly Ruckus Wireless) products that may allow attackers to compromise the environments managed by the affected software, Carnegie Mellon University\u2019s CERT Coordination Center (CERT/CC) has warned.\n\n![Ruckus vulnerabilities](https://img2.helpnetsecurity.com/posts2025/ruckus-650.webp \"Ruckus\")\n\nThe vulnerabilities have yet to be patched and it\u2019s unknown when (or whether) they will be.\n\n### The vulnerabilities\n\nRuckus Networks is a subsidiary of American network infrastructure provider CommScope. It sells a variety of wired and wireless networking equipment and software.\n\nIts networking devices, CERT/CC says, are usually found at \u201cvenues where many end points will be connected to the internet, such as schools, hospitals, multi-tenant residences, and smart cities that provide public Wi-Fi.\u201d\n\nThe solutions affected by these vulnerabilities are Ruckus Virtual SmartZone (vSZ), a wireless network control software used to virtually manage large-scale networks of access point and clients, and Ruckus Network Director (RND), software for managing multiple vSZ clusters.\n\nThe Ruckus vSZ application has:\n\n*   Multiple hardcoded secrets, which could be used by attackers to bypass authentication and achieve administrator-level access (**CVE-2025-44957**)\n*   An authenticated arbitrary file read flaw that may allow attackers to read sensitive files (**CVE-2025-44962**)\n*   A built-in user with _root_ privileges and default public and private RSA keys in the software\u2019s _/home/$USER/.ssh/_ directory (**CVE-2025-44954**)\n*   Two OS command injection vulnerabilities that may allow attackers to remotely execute code (**CVE-2025-44960, CVE-2025-44961**)\n\nThe Ruckus RND software:\n\n*   Uses a cryptographic key hardcoded into the web server to ensure the validity of session JSON web tokens, and it can be misused to bypass authentication and access the server with administrator privileges (**CVE-2025-44963**)\n*   Uses a weak, hardcoded password for a jailed configuration environment, which can be misused to access an RND server with _root_ permissions (**CVE-2025-44955**)\n*   Has a built-in user (sshuser) with _root_ privileges, and the public and private SSH keys can be found in the in the sshuser home directory. These keys can be used to access an RND server as sshuser (**CVE-2025-6243**)\n*   Encrypts passwords with a hardcoded weak secret key and returns them in plaintext (**CVE-2025-44958**)\n\n### No patches available. What to do?\n\n\u201c\\[The\\] impact of these vulnerabilities vary from information leakage to total compromise of the wireless environment managed by the affected products,\u201d CERT/CC [pointed out](https://kb.cert.org/vuls/id/613753).\n\n\u201cAs an example, an attacker with network access to Ruckus Wireless vSZ can exploit CVE-2025-44954 to gain full administrator access that will lead to total compromise of the vSZ wireless management environment.\u201d\n\nSome of the vulnerabilities could be chained to bypass security controls that prevent only specific attacks, they added.\n\nClaroty and CERT/CC have not been able to reach Ruckus or CommScope and thus don\u2019t know when the vulnerabilities will be patched. (HelpNetSecurity has, likewise, been unable to get a response from CommScope.)\n\nSome Reddit users have also commented the disclosure of these vulnerability by [sharing](https://www.reddit.com/r/RuckusWiFi/comments/1lveryu/multiple_vulnerabilities_vsz_and_rnd/) the problems they have personally had with reporting vulnerabilities to Ruckus/CommScope either via Bugcrowd or directly.\n\nUntil fixes are released, CERT/CC recommends using the affected products only within isolated management networks, and only allow trusted users and their authenticated clients to access the products\u2019 management interface via HTTPS or SSH.\n\n**UPDATE (July 11, 2025, 11:40 a.m. ET):**\n\nEchoing a [public acknowledgement](https://support.ruckuswireless.com/security_bulletins/333) of the reports, a CommScope representative told us that they are investigating the claim and will provide an update as soon as possible with guidance for their customers.\n", "creation_timestamp": "2025-07-14T06:04:37.589091+00:00", "timestamp": "2025-07-14T06:04:37.589091+00:00", "related_vulnerabilities": ["CVE-2025-44960", "CVE-2025-44963", "CVE-2025-6243", "CVE-2025-44962", "CVE-2025-44958", "CVE-2025-44955", "CVE-2025-44954", "CVE-2025-44957", "CVE-2025-44961"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}