Start your free trial today.

Protect your organization with cutting-edge cybersecurity solutions designed for resilience and efficiency. Secure your digital assets with confidence.

Your Shield Against Threats

Unleash the Power of Cybersecurity

Boost Your Security, Enhance Your Business

We solve Your Cyber Challenges

Quick Links

Resources

Deepaegis Portals

Multiple Ruckus Wireless Products CSRF and RCE Vulnerability

CVSS SCORE:9.8

CVE ID:CVE-2023-25717

SEVERITY:Critical

Vendor:Ruckus Wireless

Reporter:cve@mitre.org

Exploitable?Yes

Summary

Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.

Impact

Ruckus Wireless Access Point (AP) software contains an unspecified vulnerability in the web services component. If the web services component is enabled on the AP, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability impacts Ruckus ZoneDirector, SmartZone, and Solo APs.

Affected Products

Multiple Products

Affected Version: 10.4

CVSS Metrics

Source: nvd@nist.gov

version3.1

vectorStringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

baseScore9.8

baseSeverityCRITICAL

attackVectorNETWORK

attackComplexityLOW

privilegesRequiredNONE

userInteractionNONE

scopeUNCHANGED

confidentialityImpactHIGH

integrityImpactHIGH

availabilityImpactHIGH

CWE Information

Source: nvd@nist.gov,Type: Primary

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0,Type: Secondary

Action Information

Action Due: 6/2/2023

Remediation: Apply updates per vendor instructions or disconnect product if it is end-of-life.

Exploit Added Date: 5/12/2023

Patch and Mitigation Information

Patch Information

Temporary Fixes / Workarounds

No temporary fixes provided

Recommended Security Measures

Apply updates per vendor instructions or disconnect product if it is end-of-life.

Detection Methods

No detection methods provided

Date Of Vendor Response

Not specified

Date Of Patch Release

Not specified

Additional Information

References

cve@mitre.org:https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/

cve@mitre.org:https://support.ruckuswireless.com/security_bulletins/315

af854a3a-2127-422b-91ae-364da2661108:https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/

af854a3a-2127-422b-91ae-364da2661108:https://support.ruckuswireless.com/security_bulletins/315

Proof of Concept

https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/

Affected Organizations

No affected organizations specified

Confidentiality Notice

This document contains sensitive information. Unauthorized distribution is prohibited.

Vulnerability Advisory

Published 2/13/2023

Updated 8/22/2025