CVE-2025-46121 - Vulnerability Details

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact total

Vendors	Products
Commscope	Ruckus C110 Ruckus E510 Ruckus H320 Ruckus H350 Ruckus H510 Ruckus H550 Ruckus M510 Ruckus M510-jp Ruckus R310 Ruckus R320 Ruckus R350 Ruckus R350e Ruckus R510 Ruckus R550 Ruckus R560 Ruckus R610 Ruckus R650 Ruckus R670 Ruckus R710 Ruckus R720 Ruckus R730 Ruckus R750 Ruckus R760 Ruckus R770 Ruckus R850 Ruckus T310c Ruckus T310n Ruckus T310s Ruckus T350c Ruckus T350d Ruckus T350se Ruckus T610 Ruckus T670 Ruckus T710 Ruckus T710s Ruckus T750 Ruckus T750se Ruckus T811-cm Ruckus T811-cm \(non-sfp\) Zonedirector 1200
Ruckuswireless	Ruckus Unleashed Ruckus Zonedirector

Configuration 1 [-]

AND

OR	cpe:2.3:a:ruckuswireless:ruckus_unleashed::::::::
	cpe:2.3:a:ruckuswireless:ruckus_unleashed::::::::
	cpe:2.3:a:ruckuswireless:ruckus_zonedirector::::::::

OR	cpe:2.3:h:commscope:ruckus_c110:-:::::::*
	cpe:2.3:h:commscope:ruckus_e510:-:::::::*
	cpe:2.3:h:commscope:ruckus_h320:-:::::::*
	cpe:2.3:h:commscope:ruckus_h350:-:::::::*
	cpe:2.3:h:commscope:ruckus_h510:-:::::::*
	cpe:2.3:h:commscope:ruckus_h550:-:::::::*
	cpe:2.3:h:commscope:ruckus_m510:-:::::::*
	cpe:2.3:h:commscope:ruckus_m510-jp:-:::::::*
	cpe:2.3:h:commscope:ruckus_r310:-:::::::*
	cpe:2.3:h:commscope:ruckus_r320:-:::::::*
	cpe:2.3:h:commscope:ruckus_r350:-:::::::*
	cpe:2.3:h:commscope:ruckus_r350e:-:::::::*
	cpe:2.3:h:commscope:ruckus_r510:-:::::::*
	cpe:2.3:h:commscope:ruckus_r550:-:::::::*
	cpe:2.3:h:commscope:ruckus_r560:-:::::::*
	cpe:2.3:h:commscope:ruckus_r610:-:::::::*
	cpe:2.3:h:commscope:ruckus_r650:-:::::::*
	cpe:2.3:h:commscope:ruckus_r670:-:::::::*
	cpe:2.3:h:commscope:ruckus_r710:-:::::::*
	cpe:2.3:h:commscope:ruckus_r720:-:::::::*
	cpe:2.3:h:commscope:ruckus_r730:-:::::::*
	cpe:2.3:h:commscope:ruckus_r750:-:::::::*
	cpe:2.3:h:commscope:ruckus_r760:-:::::::*
	cpe:2.3:h:commscope:ruckus_r770:-:::::::*
	cpe:2.3:h:commscope:ruckus_r850:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310c:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310n:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310s:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350c:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350d:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350se:-:::::::*
	cpe:2.3:h:commscope:ruckus_t610:-:::::::*
	cpe:2.3:h:commscope:ruckus_t670:-:::::::*
	cpe:2.3:h:commscope:ruckus_t710:-:::::::*
	cpe:2.3:h:commscope:ruckus_t710s:-:::::::*
	cpe:2.3:h:commscope:ruckus_t750:-:::::::*
	cpe:2.3:h:commscope:ruckus_t750se:-:::::::*
	cpe:2.3:h:commscope:ruckus_t811-cm:-:::::::*
	cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:::::::*
	cpe:2.3:h:commscope:zonedirector_1200:-:::::::*

No data.

References

Link	Providers
https://sector7.computest.nl/post/2025-07-ruckus-unleashed/
https://support.ruckuswireless.com/security_bulletins/330

History

Tue, 05 Aug 2025 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Commscope Commscope ruckus C110 Commscope ruckus E510 Commscope ruckus H320 Commscope ruckus H350 Commscope ruckus H510 Commscope ruckus H550 Commscope ruckus M510 Commscope ruckus M510-jp Commscope ruckus R310 Commscope ruckus R320 Commscope ruckus R350 Commscope ruckus R350e Commscope ruckus R510 Commscope ruckus R550 Commscope ruckus R560 Commscope ruckus R610 Commscope ruckus R650 Commscope ruckus R670 Commscope ruckus R710 Commscope ruckus R720 Commscope ruckus R730 Commscope ruckus R750 Commscope ruckus R760 Commscope ruckus R770 Commscope ruckus R850 Commscope ruckus T310c Commscope ruckus T310n Commscope ruckus T310s Commscope ruckus T350c Commscope ruckus T350d Commscope ruckus T350se Commscope ruckus T610 Commscope ruckus T670 Commscope ruckus T710 Commscope ruckus T710s Commscope ruckus T750 Commscope ruckus T750se Commscope ruckus T811-cm Commscope ruckus T811-cm \(non-sfp\) Commscope zonedirector 1200 Ruckuswireless Ruckuswireless ruckus Unleashed Ruckuswireless ruckus Zonedirector
CPEs		cpe:2.3:a:ruckuswireless:ruckus_unleashed:::::::: cpe:2.3:a:ruckuswireless:ruckus_zonedirector:::::::: cpe:2.3:h:commscope:ruckus_c110:-:::::::* cpe:2.3:h:commscope:ruckus_e510:-:::::::* cpe:2.3:h:commscope:ruckus_h320:-:::::::* cpe:2.3:h:commscope:ruckus_h350:-:::::::* cpe:2.3:h:commscope:ruckus_h510:-:::::::* cpe:2.3:h:commscope:ruckus_h550:-:::::::* cpe:2.3:h:commscope:ruckus_m510-jp:-:::::::* cpe:2.3:h:commscope:ruckus_m510:-:::::::* cpe:2.3:h:commscope:ruckus_r310:-:::::::* cpe:2.3:h:commscope:ruckus_r320:-:::::::* cpe:2.3:h:commscope:ruckus_r350:-:::::::* cpe:2.3:h:commscope:ruckus_r350e:-:::::::* cpe:2.3:h:commscope:ruckus_r510:-:::::::* cpe:2.3:h:commscope:ruckus_r550:-:::::::* cpe:2.3:h:commscope:ruckus_r560:-:::::::* cpe:2.3:h:commscope:ruckus_r610:-:::::::* cpe:2.3:h:commscope:ruckus_r650:-:::::::* cpe:2.3:h:commscope:ruckus_r670:-:::::::* cpe:2.3:h:commscope:ruckus_r710:-:::::::* cpe:2.3:h:commscope:ruckus_r720:-:::::::* cpe:2.3:h:commscope:ruckus_r730:-:::::::* cpe:2.3:h:commscope:ruckus_r750:-:::::::* cpe:2.3:h:commscope:ruckus_r760:-:::::::* cpe:2.3:h:commscope:ruckus_r770:-:::::::* cpe:2.3:h:commscope:ruckus_r850:-:::::::* cpe:2.3:h:commscope:ruckus_t310c:-:::::::* cpe:2.3:h:commscope:ruckus_t310n:-:::::::* cpe:2.3:h:commscope:ruckus_t310s:-:::::::* cpe:2.3:h:commscope:ruckus_t350c:-:::::::* cpe:2.3:h:commscope:ruckus_t350d:-:::::::* cpe:2.3:h:commscope:ruckus_t350se:-:::::::* cpe:2.3:h:commscope:ruckus_t610:-:::::::* cpe:2.3:h:commscope:ruckus_t670:-:::::::* cpe:2.3:h:commscope:ruckus_t710:-:::::::* cpe:2.3:h:commscope:ruckus_t710s:-:::::::* cpe:2.3:h:commscope:ruckus_t750:-:::::::* cpe:2.3:h:commscope:ruckus_t750se:-:::::::* cpe:2.3:h:commscope:ruckus_t811-cm:-:::::::* cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:::::::* cpe:2.3:h:commscope:zonedirector_1200:-:::::::*
Vendors & Products		Commscope Commscope ruckus C110 Commscope ruckus E510 Commscope ruckus H320 Commscope ruckus H350 Commscope ruckus H510 Commscope ruckus H550 Commscope ruckus M510 Commscope ruckus M510-jp Commscope ruckus R310 Commscope ruckus R320 Commscope ruckus R350 Commscope ruckus R350e Commscope ruckus R510 Commscope ruckus R550 Commscope ruckus R560 Commscope ruckus R610 Commscope ruckus R650 Commscope ruckus R670 Commscope ruckus R710 Commscope ruckus R720 Commscope ruckus R730 Commscope ruckus R750 Commscope ruckus R760 Commscope ruckus R770 Commscope ruckus R850 Commscope ruckus T310c Commscope ruckus T310n Commscope ruckus T310s Commscope ruckus T350c Commscope ruckus T350d Commscope ruckus T350se Commscope ruckus T610 Commscope ruckus T670 Commscope ruckus T710 Commscope ruckus T710s Commscope ruckus T750 Commscope ruckus T750se Commscope ruckus T811-cm Commscope ruckus T811-cm \(non-sfp\) Commscope zonedirector 1200 Ruckuswireless Ruckuswireless ruckus Unleashed Ruckuswireless ruckus Zonedirector

Mon, 28 Jul 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 25 Jul 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 24 Jul 2025 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-134
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 22 Jul 2025 17:30:00 +0000

Type	Values Removed	Values Added
References	http://commscope.com

Mon, 21 Jul 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.
References		http://commscope.com https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ https://support.ruckuswireless.com/security_bulletins/330

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-07-21T00:00:00.000Z

Updated: 2025-07-28T19:42:06.394Z

Reserved: 2025-04-22T00:00:00.000Z

Link: CVE-2025-46121

Vulnrichment

Updated: 2025-07-24T20:27:35.439Z

NVD

Status : Analyzed

Published: 2025-07-21T15:15:28.270

Modified: 2025-08-05T17:18:43.993

Link: CVE-2025-46121

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object