CVE-2025-46122 - Vulnerability Details

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation, enabling a remote attacker to specify a target by MAC address and execute arbitrary commands as root.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Commscope	Ruckus C110 Ruckus E510 Ruckus H320 Ruckus H350 Ruckus H510 Ruckus H550 Ruckus M510 Ruckus M510-jp Ruckus R310 Ruckus R320 Ruckus R350 Ruckus R350e Ruckus R510 Ruckus R550 Ruckus R560 Ruckus R610 Ruckus R650 Ruckus R670 Ruckus R710 Ruckus R720 Ruckus R730 Ruckus R750 Ruckus R760 Ruckus R770 Ruckus R850 Ruckus T310c Ruckus T310n Ruckus T310s Ruckus T350c Ruckus T350d Ruckus T350se Ruckus T610 Ruckus T670 Ruckus T710 Ruckus T710s Ruckus T750 Ruckus T750se Ruckus T811-cm Ruckus T811-cm \(non-sfp\) Zonedirector 1200
Ruckuswireless	Ruckus Unleashed Ruckus Zonedirector

Configuration 1 [-]

AND

OR	cpe:2.3:a:ruckuswireless:ruckus_unleashed::::::::
	cpe:2.3:a:ruckuswireless:ruckus_unleashed::::::::
	cpe:2.3:a:ruckuswireless:ruckus_zonedirector::::::::

OR	cpe:2.3:h:commscope:ruckus_c110:-:::::::*
	cpe:2.3:h:commscope:ruckus_e510:-:::::::*
	cpe:2.3:h:commscope:ruckus_h320:-:::::::*
	cpe:2.3:h:commscope:ruckus_h350:-:::::::*
	cpe:2.3:h:commscope:ruckus_h510:-:::::::*
	cpe:2.3:h:commscope:ruckus_h550:-:::::::*
	cpe:2.3:h:commscope:ruckus_m510:-:::::::*
	cpe:2.3:h:commscope:ruckus_m510-jp:-:::::::*
	cpe:2.3:h:commscope:ruckus_r310:-:::::::*
	cpe:2.3:h:commscope:ruckus_r320:-:::::::*
	cpe:2.3:h:commscope:ruckus_r350:-:::::::*
	cpe:2.3:h:commscope:ruckus_r350e:-:::::::*
	cpe:2.3:h:commscope:ruckus_r510:-:::::::*
	cpe:2.3:h:commscope:ruckus_r550:-:::::::*
	cpe:2.3:h:commscope:ruckus_r560:-:::::::*
	cpe:2.3:h:commscope:ruckus_r610:-:::::::*
	cpe:2.3:h:commscope:ruckus_r650:-:::::::*
	cpe:2.3:h:commscope:ruckus_r670:-:::::::*
	cpe:2.3:h:commscope:ruckus_r710:-:::::::*
	cpe:2.3:h:commscope:ruckus_r720:-:::::::*
	cpe:2.3:h:commscope:ruckus_r730:-:::::::*
	cpe:2.3:h:commscope:ruckus_r750:-:::::::*
	cpe:2.3:h:commscope:ruckus_r760:-:::::::*
	cpe:2.3:h:commscope:ruckus_r770:-:::::::*
	cpe:2.3:h:commscope:ruckus_r850:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310c:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310n:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310s:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350c:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350d:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350se:-:::::::*
	cpe:2.3:h:commscope:ruckus_t610:-:::::::*
	cpe:2.3:h:commscope:ruckus_t670:-:::::::*
	cpe:2.3:h:commscope:ruckus_t710:-:::::::*
	cpe:2.3:h:commscope:ruckus_t710s:-:::::::*
	cpe:2.3:h:commscope:ruckus_t750:-:::::::*
	cpe:2.3:h:commscope:ruckus_t750se:-:::::::*
	cpe:2.3:h:commscope:ruckus_t811-cm:-:::::::*
	cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:::::::*
	cpe:2.3:h:commscope:zonedirector_1200:-:::::::*

No data.

References

Link	Providers
https://sector7.computest.nl/post/2025-07-ruckus-unleashed/
https://support.ruckuswireless.com/security_bulletins/330

History

Tue, 05 Aug 2025 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Commscope Commscope ruckus C110 Commscope ruckus E510 Commscope ruckus H320 Commscope ruckus H350 Commscope ruckus H510 Commscope ruckus H550 Commscope ruckus M510 Commscope ruckus M510-jp Commscope ruckus R310 Commscope ruckus R320 Commscope ruckus R350 Commscope ruckus R350e Commscope ruckus R510 Commscope ruckus R550 Commscope ruckus R560 Commscope ruckus R610 Commscope ruckus R650 Commscope ruckus R670 Commscope ruckus R710 Commscope ruckus R720 Commscope ruckus R730 Commscope ruckus R750 Commscope ruckus R760 Commscope ruckus R770 Commscope ruckus R850 Commscope ruckus T310c Commscope ruckus T310n Commscope ruckus T310s Commscope ruckus T350c Commscope ruckus T350d Commscope ruckus T350se Commscope ruckus T610 Commscope ruckus T670 Commscope ruckus T710 Commscope ruckus T710s Commscope ruckus T750 Commscope ruckus T750se Commscope ruckus T811-cm Commscope ruckus T811-cm \(non-sfp\) Commscope zonedirector 1200 Ruckuswireless Ruckuswireless ruckus Unleashed Ruckuswireless ruckus Zonedirector
CPEs		cpe:2.3:a:ruckuswireless:ruckus_unleashed:::::::: cpe:2.3:a:ruckuswireless:ruckus_zonedirector:::::::: cpe:2.3:h:commscope:ruckus_c110:-:::::::* cpe:2.3:h:commscope:ruckus_e510:-:::::::* cpe:2.3:h:commscope:ruckus_h320:-:::::::* cpe:2.3:h:commscope:ruckus_h350:-:::::::* cpe:2.3:h:commscope:ruckus_h510:-:::::::* cpe:2.3:h:commscope:ruckus_h550:-:::::::* cpe:2.3:h:commscope:ruckus_m510-jp:-:::::::* cpe:2.3:h:commscope:ruckus_m510:-:::::::* cpe:2.3:h:commscope:ruckus_r310:-:::::::* cpe:2.3:h:commscope:ruckus_r320:-:::::::* cpe:2.3:h:commscope:ruckus_r350:-:::::::* cpe:2.3:h:commscope:ruckus_r350e:-:::::::* cpe:2.3:h:commscope:ruckus_r510:-:::::::* cpe:2.3:h:commscope:ruckus_r550:-:::::::* cpe:2.3:h:commscope:ruckus_r560:-:::::::* cpe:2.3:h:commscope:ruckus_r610:-:::::::* cpe:2.3:h:commscope:ruckus_r650:-:::::::* cpe:2.3:h:commscope:ruckus_r670:-:::::::* cpe:2.3:h:commscope:ruckus_r710:-:::::::* cpe:2.3:h:commscope:ruckus_r720:-:::::::* cpe:2.3:h:commscope:ruckus_r730:-:::::::* cpe:2.3:h:commscope:ruckus_r750:-:::::::* cpe:2.3:h:commscope:ruckus_r760:-:::::::* cpe:2.3:h:commscope:ruckus_r770:-:::::::* cpe:2.3:h:commscope:ruckus_r850:-:::::::* cpe:2.3:h:commscope:ruckus_t310c:-:::::::* cpe:2.3:h:commscope:ruckus_t310n:-:::::::* cpe:2.3:h:commscope:ruckus_t310s:-:::::::* cpe:2.3:h:commscope:ruckus_t350c:-:::::::* cpe:2.3:h:commscope:ruckus_t350d:-:::::::* cpe:2.3:h:commscope:ruckus_t350se:-:::::::* cpe:2.3:h:commscope:ruckus_t610:-:::::::* cpe:2.3:h:commscope:ruckus_t670:-:::::::* cpe:2.3:h:commscope:ruckus_t710:-:::::::* cpe:2.3:h:commscope:ruckus_t710s:-:::::::* cpe:2.3:h:commscope:ruckus_t750:-:::::::* cpe:2.3:h:commscope:ruckus_t750se:-:::::::* cpe:2.3:h:commscope:ruckus_t811-cm:-:::::::* cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:::::::* cpe:2.3:h:commscope:zonedirector_1200:-:::::::*
Vendors & Products		Commscope Commscope ruckus C110 Commscope ruckus E510 Commscope ruckus H320 Commscope ruckus H350 Commscope ruckus H510 Commscope ruckus H550 Commscope ruckus M510 Commscope ruckus M510-jp Commscope ruckus R310 Commscope ruckus R320 Commscope ruckus R350 Commscope ruckus R350e Commscope ruckus R510 Commscope ruckus R550 Commscope ruckus R560 Commscope ruckus R610 Commscope ruckus R650 Commscope ruckus R670 Commscope ruckus R710 Commscope ruckus R720 Commscope ruckus R730 Commscope ruckus R750 Commscope ruckus R760 Commscope ruckus R770 Commscope ruckus R850 Commscope ruckus T310c Commscope ruckus T310n Commscope ruckus T310s Commscope ruckus T350c Commscope ruckus T350d Commscope ruckus T350se Commscope ruckus T610 Commscope ruckus T670 Commscope ruckus T710 Commscope ruckus T710s Commscope ruckus T750 Commscope ruckus T750se Commscope ruckus T811-cm Commscope ruckus T811-cm \(non-sfp\) Commscope zonedirector 1200 Ruckuswireless Ruckuswireless ruckus Unleashed Ruckuswireless ruckus Zonedirector

Wed, 23 Jul 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 22 Jul 2025 17:30:00 +0000

Type	Values Removed	Values Added
References	http://commscope.com

Tue, 22 Jul 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 21 Jul 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation, enabling a remote attacker to specify a target by MAC address and execute arbitrary commands as root.
References		http://commscope.com https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ https://support.ruckuswireless.com/security_bulletins/330

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-07-21T00:00:00.000Z

Updated: 2025-07-23T17:16:46.566Z

Reserved: 2025-04-22T00:00:00.000Z

Link: CVE-2025-46122

Vulnrichment

Updated: 2025-07-22T15:54:19.449Z

NVD

Status : Analyzed

Published: 2025-07-21T15:15:28.390

Modified: 2025-08-05T17:18:47.920

Link: CVE-2025-46122

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object