PT-2026-1952 · Ruckus · Ruckus Vriot Iot Controller
Ivan Racic
·
Publicado
2026-01-09
·
Atualizado
2026-01-12
·
CVE-2025-69425
CVSS v4.0
10
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Ruckus vRIoT IoT Controller versions prior to 3.0.0.0 (GA)
Description
The Ruckus vRIoT IoT Controller firmware exposes a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise.
Recommendations
Update to version 3.0.0.0 (GA) or later.
Correção
RCE
Using Hardcoded Credentials
Missing Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Ruckus Vriot Iot Controller