{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/613753#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nMultiple vulnerabilities have been identified in RUCKUS Networks management products, specifically Virtual SmartZone (vSZ) and Network Director (RND), including authentication bypass, hardcoded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. These issues may allow full compromise of the environments managed by the affected software.\r\n\r\nFor the latest information, please see RUCKUS [Security Bulletin 20250710](https://support.ruckuswireless.com/security_bulletins/333).\r\n### Description\r\n\r\nRUCKUS Networks is a company that provides networking devices for venues where many end points will be connected to the internet, such as schools, hospitals, multi-tenant residences, and smart cities that provide public Wi-Fi.  Virtual SmartZone (vSZ) by RUCKUS Networks is a wireless network control software to virtually manage large-scale networks, up to a scale of 10,000 RUCKUS access points and 150,000 connected clients.  RUCKUS Network Director (RND) is software for the management of multiple vSZ clusters on a single network. \r\n\r\nMultiple vulnerabilities were reported in these RUCKUS Networks products that are described here:\r\n\r\n\r\n[CVE-2025-44957] Hardcoded Secrets, including JWT Signing Key, API keys in Code (CWE-287: Improper Authentication). Multiple secrets are hardcoded into the vSZ application, making them vulnerable to access thus allowing elevated privileges. Using HTTP headers and a valid API key, it is possible to logically bypass the authentication methods, providing administrator-level access to anyone that does this.\r\n\r\n[CVE-2025-44962] Authenticated Arbitrary File Read (CWE-23: Relative Path Traversal). RUCKUS vSZ allows for users to download files from an allowed directory, but by hardcoding a directory path, a user could traverse other directory paths with `../` to read sensitive files.\r\n\r\n[CVE-2025-44960] Remote Code Execution (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')). A parameter in a vSZ API route is user-controlled and not sanitized before being executed in an OS command. An attacker could supply a malicious payload to result in code execution.\r\n\r\n[CVE-2025-44961] Remote Code Execution (CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')). An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.\r\n\r\n[CVE-2025-44963] Hardcoded Secrets, including JWT token (CWE-321: Use of Hard-coded Cryptographic Key). RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.\r\n\r\n[CVE-2025-44955] Hardcoded Secrets (CWE-259: Use of Hard-coded Password). RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.\r\n\r\n[CVE-2025-6243] Hardcoded SSH Public Key (CWE-321: Use of Hard-coded Cryptographic Key). A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.\r\n\r\n[CVE-2025-44958] Recoverable passwords (CWE-257: Storing Passwords in a Recoverable Format). RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.\r\n\r\n### Impact\r\n\r\nImpact of these vulnerabilities vary from information leakage to total compromise of the wireless environment managed by the affected products.  As an example, an attacker with API access to RUCKUS Networks vSZ can exploit CVE-2025-44957 to gain full administrator access that will lead to total compromise of the vSZ wireless management environment. Furthermore, multiple vulnerabilities can be chained to create chained attacks that can allow the attacker to combine attacks to bypass any security controls that prevent only specific attacks. \r\n\r\n\r\n### Solution\r\n\r\nRUCKUS has provided patches defined per product at [https://webresources.commscope.com/download/assets/FAQ+Security+Advisory%3A+ID+20250710/225f44ac3bd311f095821adcaa92e24e](https://webresources.commscope.com/download/assets/FAQ+Security+Advisory%3A+ID+20250710/225f44ac3bd311f095821adcaa92e24e).\r\n\r\nFurthermore, RUCKUS advises deploying\r\nvSZ and RND in accordance with [best security practices](https://support.ruckuswireless.com/security_bulletins/278) and also restricting network access to potentially vulnerable devices to a limited set of trusted users.\r\n\r\n### Acknowledgements\r\n\r\nThanks to Noam Moshe of Claroty Team82 for reporting these vulnerabilities. This document was written by CERT/CC.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"A security update for RUCKUS SmartZone is available as per links below.","title":"Vendor statment from Commscope (Ruckus Wireless)"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/613753"},{"url":"https://support.ruckuswireless.com/software/4542-smartzone-and-virtual-smartzone-6-1-2-patch3-ksp-for-reported-vulnerabilities-in-ruckus-smartzone-security-bulletin-20250710","summary":"Reference(s) from vendor \"Commscope (Ruckus Wireless)\""},{"url":"https://support.ruckuswireless.com/security_bulletins/333","summary":"Reference(s) from vendor \"Commscope (Ruckus Wireless)\""}],"title":"RUCKUS Virtual SmartZone (vSZ) and RUCKUS Network Director (RND) contain multiple vulnerabilities","tracking":{"current_release_date":"2025-07-24T22:12:05+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#613753","initial_release_date":"2025-07-08 19:41:02.431534+00:00","revision_history":[{"date":"2025-07-24T22:12:05+00:00","number":"1.20250724221205.7","summary":"Released on 2025-07-24T22:12:05+00:00"}],"status":"final","version":"1.20250724221205.7"}},"vulnerabilities":[{"title":"RND version 4.","notes":[{"category":"summary","text":"RND version 4.0.0.36 is vulnerable to RCE because of its use of a hardcoded default public key."}],"cve":"CVE-2025-6243","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#613753"}],"references":[{"url":"https://support.ruckuswireless.com/software/4542-smartzone-and-virtual-smartzone-6-1-2-patch3-ksp-for-reported-vulnerabilities-in-ruckus-smartzone-security-bulletin-20250710","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"},{"url":"https://support.ruckuswireless.com/security_bulletins/333","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"}],"product_status":{"known_affected":["CSAFPID-a15f3ac4-33ed-11f1-8422-122e2785dc9f"]}},{"title":"RND version 4.","notes":[{"category":"summary","text":"RND version 4.0.0.36 does not sufficiently store user passwords as a result of storing passwords in a recoverable format."}],"cve":"CVE-2025-44958","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#613753"}],"references":[{"url":"https://support.ruckuswireless.com/software/4542-smartzone-and-virtual-smartzone-6-1-2-patch3-ksp-for-reported-vulnerabilities-in-ruckus-smartzone-security-bulletin-20250710","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"},{"url":"https://support.ruckuswireless.com/security_bulletins/333","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"}],"product_status":{"known_affected":["CSAFPID-a15f9aa0-33ed-11f1-8422-122e2785dc9f"]}},{"title":"Ruckus Virtual SmartZone (vSZ), version 6.","notes":[{"category":"summary","text":"Ruckus Virtual SmartZone (vSZ), version 6.1.2.0.487 and below, contains a command injection vulnerability, allowing authenticated attackers to execute arbitrary code on the system."}],"cve":"CVE-2025-44961","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#613753"}],"references":[{"url":"https://support.ruckuswireless.com/software/4542-smartzone-and-virtual-smartzone-6-1-2-patch3-ksp-for-reported-vulnerabilities-in-ruckus-smartzone-security-bulletin-20250710","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"},{"url":"https://support.ruckuswireless.com/security_bulletins/333","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"}],"product_status":{"known_affected":["CSAFPID-a15ff748-33ed-11f1-8422-122e2785dc9f"]}},{"title":"Ruckus Virtual SmartZone (vSZ), version\r\n6.","notes":[{"category":"summary","text":"Ruckus Virtual SmartZone (vSZ), version\r\n6.1.2.0.487 and below, contains an API route vulnerable to O/S command injection."}],"cve":"CVE-2025-44960","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#613753"}],"references":[{"url":"https://support.ruckuswireless.com/software/4542-smartzone-and-virtual-smartzone-6-1-2-patch3-ksp-for-reported-vulnerabilities-in-ruckus-smartzone-security-bulletin-20250710","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"},{"url":"https://support.ruckuswireless.com/security_bulletins/333","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"}],"product_status":{"known_affected":["CSAFPID-a16068a4-33ed-11f1-8422-122e2785dc9f"]}},{"title":"Ruckus Virtual SmartZone (vSZ), version 6.","notes":[{"category":"summary","text":"Ruckus Virtual SmartZone (vSZ), version 6.1.2.0.487 and below, uses hard-coded keys, which attackers could use to bypass authentication, gain valid credentials, sign API tokens, etc."}],"cve":"CVE-2025-44962","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#613753"}],"references":[{"url":"https://support.ruckuswireless.com/software/4542-smartzone-and-virtual-smartzone-6-1-2-patch3-ksp-for-reported-vulnerabilities-in-ruckus-smartzone-security-bulletin-20250710","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"},{"url":"https://support.ruckuswireless.com/security_bulletins/333","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"}],"product_status":{"known_affected":["CSAFPID-a160db22-33ed-11f1-8422-122e2785dc9f"]}},{"title":"RND version 4.","notes":[{"category":"summary","text":"RND version 4.0.0.36 contains a vulnerability that allows an attacker to bypass authentication through the use of a hardcoded JWT secret."}],"cve":"CVE-2025-44963","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#613753"}],"references":[{"url":"https://support.ruckuswireless.com/software/4542-smartzone-and-virtual-smartzone-6-1-2-patch3-ksp-for-reported-vulnerabilities-in-ruckus-smartzone-security-bulletin-20250710","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"},{"url":"https://support.ruckuswireless.com/security_bulletins/333","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"}],"product_status":{"known_affected":["CSAFPID-a16153fe-33ed-11f1-8422-122e2785dc9f"]}},{"title":"RND version 4.","notes":[{"category":"summary","text":"RND version 4.0.0.36 is vulnerable to SSH jailbreak when weak administrative credentials are used."}],"cve":"CVE-2025-44955","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#613753"}],"references":[{"url":"https://support.ruckuswireless.com/software/4542-smartzone-and-virtual-smartzone-6-1-2-patch3-ksp-for-reported-vulnerabilities-in-ruckus-smartzone-security-bulletin-20250710","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"},{"url":"https://support.ruckuswireless.com/security_bulletins/333","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"}],"product_status":{"known_affected":["CSAFPID-a161c7da-33ed-11f1-8422-122e2785dc9f"]}},{"title":"Ruckus Virtual SmartZone (vSZ), version\r\n6.","notes":[{"category":"summary","text":"Ruckus Virtual SmartZone (vSZ), version\r\n6.1.2.0.487 and below, contains a vulnerability that allows authenticated attackers to read any files in the underlying O/S."}],"cve":"CVE-2025-44957","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#613753"}],"references":[{"url":"https://support.ruckuswireless.com/software/4542-smartzone-and-virtual-smartzone-6-1-2-patch3-ksp-for-reported-vulnerabilities-in-ruckus-smartzone-security-bulletin-20250710","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"},{"url":"https://support.ruckuswireless.com/security_bulletins/333","summary":"A security update for RUCKUS SmartZone is available as per links below.","category":"external"}],"product_status":{"known_affected":["CSAFPID-a1624e30-33ed-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Commscope (Ruckus Wireless)","product":{"name":"Commscope (Ruckus Wireless) Products","product_id":"CSAFPID-a15f3ac4-33ed-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Commscope (Ruckus Wireless)","product":{"name":"Commscope (Ruckus Wireless) Products","product_id":"CSAFPID-a15f9aa0-33ed-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Commscope (Ruckus Wireless)","product":{"name":"Commscope (Ruckus Wireless) Products","product_id":"CSAFPID-a15ff748-33ed-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Commscope (Ruckus Wireless)","product":{"name":"Commscope (Ruckus Wireless) Products","product_id":"CSAFPID-a16068a4-33ed-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Commscope (Ruckus Wireless)","product":{"name":"Commscope (Ruckus Wireless) Products","product_id":"CSAFPID-a160db22-33ed-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Commscope (Ruckus Wireless)","product":{"name":"Commscope (Ruckus Wireless) Products","product_id":"CSAFPID-a16153fe-33ed-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Commscope (Ruckus Wireless)","product":{"name":"Commscope (Ruckus Wireless) Products","product_id":"CSAFPID-a161c7da-33ed-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Commscope (Ruckus Wireless)","product":{"name":"Commscope (Ruckus Wireless) Products","product_id":"CSAFPID-a1624e30-33ed-11f1-8422-122e2785dc9f"}}]}}