CVE-2023-25717

Name of the Vulnerable Software and Affected Versions Ruckus Wireless Admin versions prior to 10.4

Description The issue concerns a Remote Code Execution vulnerability in Ruckus Wireless Admin, allowing an unauthenticated attacker to execute arbitrary code via an HTTP GET request. This can be demonstrated by sending a request to the /forms/doLogin endpoint with specific parameters, such as login username=admin and password=password$(curl substring). The vulnerability is being exploited by the AndoryuBot botnet, which targets Ruckus Wireless devices to enlist them in DDoS attacks. It is estimated that many devices remain unpatched, with some end-of-life models not receiving fixes. The AndoryuBot botnet can load additional scripts from a hardcoded URL and establish a connection with its command and control server via SOCKS for stealth and firewall evasion. The botnet supports multiple system architectures and 12 DDoS attack modes. Its operators offer DDoS services for hire, accepting cryptocurrency payments.

Recommendations For Ruckus Wireless Admin versions prior to 10.4, apply the available firmware updates to patch the vulnerability. Use strong admin passwords and consider disabling remote access to the admin panel if it is not necessary. As a temporary workaround, consider restricting access to the /forms/doLogin endpoint until a patch is applied.