René Ammerlaan

**Name of the Vulnerable Software and Affected Versions** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 and 200.17.7.0.139 CommScope Ruckus ZoneDirector versions prior to 10.5.1.0.279 **Description** An authenticated attacker can disable the passphrase requirement for a hidden CLI command `!v54!` via a management API call. Subsequently, the attacker can invoke the command to escape the restricted shell and obtain a root shell on the controller. **Recommendations** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 and 200.17.7.0.139 should be updated to version 200.15.6.212.14 or 200.17.7.0.139 or later. CommScope Ruckus ZoneDirector versions prior to 10.5.1.0.279 should be updated to version 10.5.1.0.279 or later.

**Name of the Vulnerable Software and Affected Versions** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 and 200.17.7.0.139 CommScope Ruckus ZoneDirector versions prior to 10.5.1.0.279 **Description** A hidden debug script `.ap debug.sh` invoked from the restricted command-line interface does not properly sanitize its input. This allows an authenticated attacker to execute arbitrary commands as root on the controller or a specified target. **Recommendations** Update CommScope Ruckus Unleashed to version 200.15.6.212.14 or later. Update CommScope Ruckus Unleashed to version 200.17.7.0.139 or later. Update CommScope Ruckus ZoneDirector to version 10.5.1.0.279 or later.

**Name of the Vulnerable Software and Affected Versions** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 and 200.17.7.0.139 CommScope Ruckus ZoneDirector versions prior to 10.5.1.0.279 **Description** An issue was discovered where hard-coded credentials for the `ftpuser` account provide FTP access to the controller. This enables a remote attacker to upload or retrieve arbitrary files from writable firmware directories, potentially exposing sensitive information or compromising the controller. **Recommendations** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14: Update to version 200.15.6.212.14 or later. CommScope Ruckus Unleashed versions prior to 200.17.7.0.139: Update to version 200.17.7.0.139 or later. CommScope Ruckus ZoneDirector versions prior to 10.5.1.0.279: Update to version 10.5.1.0.279 or later.

**Name of the Vulnerable Software and Affected Versions** CommScope Ruckus Unleashed versions prior to 200.15.6.12.304 CommScope Ruckus Unleashed versions prior to 200.18.7.1.302 **Description** An authenticated request to the management endpoint `/admin/ cmdstat.jsp` discloses the administrator password in a trivially reversible obfuscated form. The same obfuscation method persists in configuration, allowing anyone who obtains the system configuration to recover the plaintext credentials. **Recommendations** Update CommScope Ruckus Unleashed to version 200.15.6.12.304 or later. Update CommScope Ruckus Unleashed to version 200.18.7.1.302 or later.

**Name of the Vulnerable Software and Affected Versions** CommScope Ruckus Unleashed versions prior to 200.14.6.1.203 CommScope Ruckus ZoneDirector (affected versions not specified) **Description** A path-traversal flaw exists in the web interface. This flaw allows the server to execute attacker-supplied EJS templates outside of permitted directories. A remote, unauthenticated attacker who can upload a template (e.g., via FTP) can escalate privileges and run arbitrary template code on the controller. **Recommendations** CommScope Ruckus Unleashed versions prior to 200.14.6.1.203: Update to version 200.14.6.1.203 or later. CommScope Ruckus ZoneDirector: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 CommScope Ruckus Unleashed versions prior to 200.17.7.0.139 **Description** An issue exists where the functions `stamgr cfg adpt addStaFavourite` and `stamgr cfg adpt addStaIot` improperly handle client hostnames passed to `snprintf` as a format string. An attacker can exploit this flaw by sending a crafted request to the authenticated endpoint `/admin/ conf.jsp`, or by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field. This can lead to unauthenticated format-string processing and arbitrary code execution on the controller. **Recommendations** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14: Update to version 200.15.6.212.14 or later. CommScope Ruckus Unleashed versions prior to 200.17.7.0.139: Update to version 200.17.7.0.139 or later.

**Name of the Vulnerable Software and Affected Versions** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 CommScope Ruckus Unleashed versions prior to 200.17.7.0.139 **Description** The authenticated diagnostics API endpoint `/admin/ cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation. This enables a remote attacker to specify a target by MAC address and execute arbitrary commands as root. **Recommendations** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14: Update to version 200.15.6.212.14 or later. CommScope Ruckus Unleashed versions prior to 200.17.7.0.139: Update to version 200.17.7.0.139 or later.

**Name of the Vulnerable Software and Affected Versions** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 and 200.17.7.0.139 CommScope Ruckus ZoneDirector versions prior to 10.5.1.0.279 **Description** An issue exists where the authenticated configuration endpoint `/admin/ conf.jsp` writes the Wi-Fi guest password to memory using `snprintf` with attacker-supplied data as the format string. This triggers uncontrolled format-string processing, potentially enabling remote code execution on the controller. **Recommendations** CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 should be updated. CommScope Ruckus Unleashed versions prior to 200.17.7.0.139 should be updated. CommScope Ruckus ZoneDirector versions prior to 10.5.1.0.279 should be updated.