CVE-2025-46121

{"id": "CVE-2025-46121", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-07-21T15:15:28.270", "references": [{"url": "https://sector7.computest.nl/post/2025-07-ruckus-unleashed/", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://support.ruckuswireless.com/security_bulletins/330", "tags": ["Product"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-134"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en CommScope Ruckus Unleashed anterior a 200.15.6.212.14 y 200.17.7.0.139, donde las funciones `stamgr_cfg_adpt_addStaFavourite` y `stamgr_cfg_adpt_addStaIot` pasan el nombre de host de un cliente directamente a snprintf como cadena de formato. Un atacante remoto puede explotar esta vulnerabilidad enviando una solicitud manipulada al endpoint autenticado `/admin/_conf.jsp`, o sin autenticaci\u00f3n y sin acceso directo al controlador de red, falsificando la direcci\u00f3n MAC de una estaci\u00f3n favorita e incrustando especificadores de formato maliciosos en el campo de nombre de host DHCP, lo que resulta en el procesamiento no autenticado de la cadena de formato y la ejecuci\u00f3n de c\u00f3digo arbitrario en el controlador."}], "lastModified": "2025-08-05T17:18:43.993", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ruckuswireless:ruckus_unleashed:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8933A8DB-2169-4969-857D-65FCC5A2687E", "versionEndExcluding": "200.15.6.212.14"}, {"criteria": "cpe:2.3:a:ruckuswireless:ruckus_unleashed:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BF7ACF7-77A1-497E-991F-F8015017FF6B", "versionEndExcluding": "200.17.7.0.139", "versionStartIncluding": "200.17"}, {"criteria": "cpe:2.3:a:ruckuswireless:ruckus_zonedirector:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31CEC229-C1CD-471D-93EC-BF4629393864", "versionEndExcluding": "10.5.1.0.279"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:commscope:ruckus_c110:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "84B1EC30-ACC3-4141-A149-F2C912AEDC2B"}, {"criteria": "cpe:2.3:h:commscope:ruckus_e510:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C1CB277A-B51A-4EF6-9B60-26E42DB466A3"}, {"criteria": "cpe:2.3:h:commscope:ruckus_h320:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4EDE59EC-811F-4A5E-A4DE-C3289D8A049A"}, {"criteria": "cpe:2.3:h:commscope:ruckus_h350:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "37C8E333-5C44-44BB-842F-FCDA8D8D5831"}, {"criteria": "cpe:2.3:h:commscope:ruckus_h510:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "0CABADA0-2CC3-4218-BE64-7014F21166CD"}, {"criteria": "cpe:2.3:h:commscope:ruckus_h550:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3DC533A1-7998-4363-9D94-E1472F22DE87"}, {"criteria": "cpe:2.3:h:commscope:ruckus_m510:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "75F9B4E2-6E5B-4C96-A46F-06450BB81E68"}, {"criteria": "cpe:2.3:h:commscope:ruckus_m510-jp:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "028EEF4A-5A5B-4662-A5AA-B027EF66DF2B"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r310:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2BA2F043-9743-4FC9-AF74-20FAC503C2F2"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r320:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D165B27E-AA69-446F-916F-AF26E30510CA"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r350:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5BD23474-CBFE-4575-A2DA-431C0D74E2EE"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r350e:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "208776B7-AC2A-445F-A26F-5C072EFEED0E"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r510:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "EB605D38-A71B-44FF-909D-D34348491EA8"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r550:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "54D2D26C-E53C-41E2-9EB7-653CBF5A49E7"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r560:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E547E2A0-86E7-438C-9602-A2ECB247A84C"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r610:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A3A5E2C5-E261-4FA6-AB5E-D651110C80CB"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r650:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "44C800DC-82C3-4240-B2C0-18433FED4E3B"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r670:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1677A804-8DE7-4191-8E84-9ADAE9E8269E"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r710:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "22845768-F360-46EC-BB48-2A68A4B6A2C8"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r720:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "89E38958-2FEB-4945-81E0-522BD1136D26"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r730:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5D8F47E7-791A-44E8-A62C-B4D0F4AF80BD"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r750:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4A2A5668-2EDB-4E93-A4FA-88FCBCC057B1"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r760:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "473AC82B-6A00-4076-A043-E4854DA09C3E"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r770:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "554AE543-CC27-4109-9F0C-E17BF2A4E22F"}, {"criteria": "cpe:2.3:h:commscope:ruckus_r850:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "92E815A2-09BC-4FF8-B38C-8857E626ACA1"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t310c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "0777F3E0-7F95-49B4-B488-5550FF922E9E"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t310n:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "23A4DF46-52A7-4F47-B9EB-8F3A1D0261DA"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t310s:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DD0D8BF0-5736-44F7-8B9C-6BDCF97FF5C9"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t350c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FBCA0728-C62C-429B-ABA0-A8F853543A0F"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t350d:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6DDB7F8C-9DF1-47B4-8E82-95003744CC0B"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t350se:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3B4ED697-139A-4679-85D5-3992DEA8BB44"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t610:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6E5F3A97-6FC5-4592-8304-43070120AA3A"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t670:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "ACE01A53-D787-4240-BF0F-EDC8BF51D6D1"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t710:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E23CE29C-210E-44C0-B4CF-01F2889B671D"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t710s:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DD7A8265-2895-42FF-BF64-76C73CF67112"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t750:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "29911530-47EC-4865-9965-72D101827F1A"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t750se:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5C83392A-1656-473F-9F08-C3CC89FDF3FA"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t811-cm:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9C49E0DC-A33C-43F3-9278-5341C1842FA6"}, {"criteria": "cpe:2.3:h:commscope:ruckus_t811-cm_\\(non-sfp\\):-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FFDE6F6D-DC10-4C72-BDEC-0B1CB7DCCEA9"}, {"criteria": "cpe:2.3:h:commscope:zonedirector_1200:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9AB4E62C-2532-41A9-9F1E-737D3E4DD008"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}