CVE-2025-46123 - Vulnerability Details

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest password to memory with snprintf using the attacker-supplied value as the format string; a crafted password therefore triggers uncontrolled format-string processing and enables remote code execution on the controller.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Commscope	Ruckus C110 Ruckus E510 Ruckus H320 Ruckus H350 Ruckus H510 Ruckus H550 Ruckus M510 Ruckus M510-jp Ruckus R310 Ruckus R320 Ruckus R350 Ruckus R350e Ruckus R510 Ruckus R550 Ruckus R560 Ruckus R610 Ruckus R650 Ruckus R670 Ruckus R710 Ruckus R720 Ruckus R730 Ruckus R750 Ruckus R760 Ruckus R770 Ruckus R850 Ruckus T310c Ruckus T310n Ruckus T310s Ruckus T350c Ruckus T350d Ruckus T350se Ruckus T610 Ruckus T670 Ruckus T710 Ruckus T710s Ruckus T750 Ruckus T750se Ruckus T811-cm Ruckus T811-cm \(non-sfp\) Zonedirector 1200
Ruckus	Unleashed Zonedirector
Ruckuswireless	Ruckus Unleashed Ruckus Zonedirector

Configuration 1 [-]

AND

OR	cpe:2.3:a:ruckuswireless:ruckus_unleashed::::::::
	cpe:2.3:a:ruckuswireless:ruckus_unleashed::::::::
	cpe:2.3:a:ruckuswireless:ruckus_zonedirector::::::::

OR	cpe:2.3:h:commscope:ruckus_c110:-:::::::*
	cpe:2.3:h:commscope:ruckus_e510:-:::::::*
	cpe:2.3:h:commscope:ruckus_h320:-:::::::*
	cpe:2.3:h:commscope:ruckus_h350:-:::::::*
	cpe:2.3:h:commscope:ruckus_h510:-:::::::*
	cpe:2.3:h:commscope:ruckus_h550:-:::::::*
	cpe:2.3:h:commscope:ruckus_m510:-:::::::*
	cpe:2.3:h:commscope:ruckus_m510-jp:-:::::::*
	cpe:2.3:h:commscope:ruckus_r310:-:::::::*
	cpe:2.3:h:commscope:ruckus_r320:-:::::::*
	cpe:2.3:h:commscope:ruckus_r350:-:::::::*
	cpe:2.3:h:commscope:ruckus_r350e:-:::::::*
	cpe:2.3:h:commscope:ruckus_r510:-:::::::*
	cpe:2.3:h:commscope:ruckus_r550:-:::::::*
	cpe:2.3:h:commscope:ruckus_r560:-:::::::*
	cpe:2.3:h:commscope:ruckus_r610:-:::::::*
	cpe:2.3:h:commscope:ruckus_r650:-:::::::*
	cpe:2.3:h:commscope:ruckus_r670:-:::::::*
	cpe:2.3:h:commscope:ruckus_r710:-:::::::*
	cpe:2.3:h:commscope:ruckus_r720:-:::::::*
	cpe:2.3:h:commscope:ruckus_r730:-:::::::*
	cpe:2.3:h:commscope:ruckus_r750:-:::::::*
	cpe:2.3:h:commscope:ruckus_r760:-:::::::*
	cpe:2.3:h:commscope:ruckus_r770:-:::::::*
	cpe:2.3:h:commscope:ruckus_r850:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310c:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310n:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310s:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350c:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350d:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350se:-:::::::*
	cpe:2.3:h:commscope:ruckus_t610:-:::::::*
	cpe:2.3:h:commscope:ruckus_t670:-:::::::*
	cpe:2.3:h:commscope:ruckus_t710:-:::::::*
	cpe:2.3:h:commscope:ruckus_t710s:-:::::::*
	cpe:2.3:h:commscope:ruckus_t750:-:::::::*
	cpe:2.3:h:commscope:ruckus_t750se:-:::::::*
	cpe:2.3:h:commscope:ruckus_t811-cm:-:::::::*
	cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:::::::*
	cpe:2.3:h:commscope:zonedirector_1200:-:::::::*

No data.

References

Link	Providers
https://sector7.computest.nl/post/2025-07-ruckus-unleashed/
https://support.ruckuswireless.com/security_bulletins/330

History

Tue, 05 Aug 2025 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Commscope Commscope ruckus C110 Commscope ruckus E510 Commscope ruckus H320 Commscope ruckus H350 Commscope ruckus H510 Commscope ruckus H550 Commscope ruckus M510 Commscope ruckus M510-jp Commscope ruckus R310 Commscope ruckus R320 Commscope ruckus R350 Commscope ruckus R350e Commscope ruckus R510 Commscope ruckus R550 Commscope ruckus R560 Commscope ruckus R610 Commscope ruckus R650 Commscope ruckus R670 Commscope ruckus R710 Commscope ruckus R720 Commscope ruckus R730 Commscope ruckus R750 Commscope ruckus R760 Commscope ruckus R770 Commscope ruckus R850 Commscope ruckus T310c Commscope ruckus T310n Commscope ruckus T310s Commscope ruckus T350c Commscope ruckus T350d Commscope ruckus T350se Commscope ruckus T610 Commscope ruckus T670 Commscope ruckus T710 Commscope ruckus T710s Commscope ruckus T750 Commscope ruckus T750se Commscope ruckus T811-cm Commscope ruckus T811-cm \(non-sfp\) Commscope zonedirector 1200 Ruckuswireless Ruckuswireless ruckus Unleashed Ruckuswireless ruckus Zonedirector
CPEs		cpe:2.3:a:ruckuswireless:ruckus_unleashed:::::::: cpe:2.3:a:ruckuswireless:ruckus_zonedirector:::::::: cpe:2.3:h:commscope:ruckus_c110:-:::::::* cpe:2.3:h:commscope:ruckus_e510:-:::::::* cpe:2.3:h:commscope:ruckus_h320:-:::::::* cpe:2.3:h:commscope:ruckus_h350:-:::::::* cpe:2.3:h:commscope:ruckus_h510:-:::::::* cpe:2.3:h:commscope:ruckus_h550:-:::::::* cpe:2.3:h:commscope:ruckus_m510-jp:-:::::::* cpe:2.3:h:commscope:ruckus_m510:-:::::::* cpe:2.3:h:commscope:ruckus_r310:-:::::::* cpe:2.3:h:commscope:ruckus_r320:-:::::::* cpe:2.3:h:commscope:ruckus_r350:-:::::::* cpe:2.3:h:commscope:ruckus_r350e:-:::::::* cpe:2.3:h:commscope:ruckus_r510:-:::::::* cpe:2.3:h:commscope:ruckus_r550:-:::::::* cpe:2.3:h:commscope:ruckus_r560:-:::::::* cpe:2.3:h:commscope:ruckus_r610:-:::::::* cpe:2.3:h:commscope:ruckus_r650:-:::::::* cpe:2.3:h:commscope:ruckus_r670:-:::::::* cpe:2.3:h:commscope:ruckus_r710:-:::::::* cpe:2.3:h:commscope:ruckus_r720:-:::::::* cpe:2.3:h:commscope:ruckus_r730:-:::::::* cpe:2.3:h:commscope:ruckus_r750:-:::::::* cpe:2.3:h:commscope:ruckus_r760:-:::::::* cpe:2.3:h:commscope:ruckus_r770:-:::::::* cpe:2.3:h:commscope:ruckus_r850:-:::::::* cpe:2.3:h:commscope:ruckus_t310c:-:::::::* cpe:2.3:h:commscope:ruckus_t310n:-:::::::* cpe:2.3:h:commscope:ruckus_t310s:-:::::::* cpe:2.3:h:commscope:ruckus_t350c:-:::::::* cpe:2.3:h:commscope:ruckus_t350d:-:::::::* cpe:2.3:h:commscope:ruckus_t350se:-:::::::* cpe:2.3:h:commscope:ruckus_t610:-:::::::* cpe:2.3:h:commscope:ruckus_t670:-:::::::* cpe:2.3:h:commscope:ruckus_t710:-:::::::* cpe:2.3:h:commscope:ruckus_t710s:-:::::::* cpe:2.3:h:commscope:ruckus_t750:-:::::::* cpe:2.3:h:commscope:ruckus_t750se:-:::::::* cpe:2.3:h:commscope:ruckus_t811-cm:-:::::::* cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:::::::* cpe:2.3:h:commscope:zonedirector_1200:-:::::::*
Vendors & Products		Commscope Commscope ruckus C110 Commscope ruckus E510 Commscope ruckus H320 Commscope ruckus H350 Commscope ruckus H510 Commscope ruckus H550 Commscope ruckus M510 Commscope ruckus M510-jp Commscope ruckus R310 Commscope ruckus R320 Commscope ruckus R350 Commscope ruckus R350e Commscope ruckus R510 Commscope ruckus R550 Commscope ruckus R560 Commscope ruckus R610 Commscope ruckus R650 Commscope ruckus R670 Commscope ruckus R710 Commscope ruckus R720 Commscope ruckus R730 Commscope ruckus R750 Commscope ruckus R760 Commscope ruckus R770 Commscope ruckus R850 Commscope ruckus T310c Commscope ruckus T310n Commscope ruckus T310s Commscope ruckus T350c Commscope ruckus T350d Commscope ruckus T350se Commscope ruckus T610 Commscope ruckus T670 Commscope ruckus T710 Commscope ruckus T710s Commscope ruckus T750 Commscope ruckus T750se Commscope ruckus T811-cm Commscope ruckus T811-cm \(non-sfp\) Commscope zonedirector 1200 Ruckuswireless Ruckuswireless ruckus Unleashed Ruckuswireless ruckus Zonedirector

Thu, 24 Jul 2025 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-134
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 23 Jul 2025 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ruckus Ruckus unleashed Ruckus zonedirector
Vendors & Products		Ruckus Ruckus unleashed Ruckus zonedirector

Tue, 22 Jul 2025 17:30:00 +0000

Type	Values Removed	Values Added
References	http://commscope.com

Mon, 21 Jul 2025 15:00:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest password to memory with snprintf using the attacker-supplied value as the format string; a crafted password therefore triggers uncontrolled format-string processing and enables remote code execution on the controller.
References		http://commscope.com https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ https://support.ruckuswireless.com/security_bulletins/330

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-07-21T00:00:00.000Z

Updated: 2025-07-24T20:25:38.729Z

Reserved: 2025-04-22T00:00:00.000Z

Link: CVE-2025-46123

Vulnrichment

Updated: 2025-07-24T20:24:59.173Z

NVD

Status : Analyzed

Published: 2025-07-21T15:15:28.500

Modified: 2025-08-05T17:18:56.067

Link: CVE-2025-46123

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object