An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.
References
Link | Resource |
---|---|
https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ | Exploit Third Party Advisory |
https://support.ruckuswireless.com/security_bulletins/330 | Product |
Configurations
Configuration 1 (hide)
AND |
|
History
05 Aug 2025, 17:18
Type | Values Removed | Values Added |
---|---|---|
First Time |
Commscope ruckus R850
Commscope ruckus R320 Commscope ruckus R310 Commscope ruckus T710s Commscope ruckus T670 Commscope ruckus C110 Commscope zonedirector 1200 Commscope ruckus R730 Commscope ruckus R350e Commscope ruckus T710 Commscope ruckus T350se Commscope ruckus M510 Commscope ruckus T811-cm Commscope ruckus R760 Commscope ruckus H510 Commscope ruckus R750 Commscope ruckus H320 Commscope ruckus R610 Commscope ruckus T610 Commscope ruckus T310c Commscope ruckus T750se Commscope ruckus R510 Commscope ruckus T310n Commscope ruckus T350c Commscope ruckus M510-jp Commscope ruckus T750 Commscope ruckus R670 Commscope ruckus H550 Commscope ruckus R770 Commscope ruckus E510 Ruckuswireless ruckus Zonedirector Commscope ruckus R350 Commscope ruckus T811-cm \(non-sfp\) Commscope ruckus R720 Commscope ruckus R710 Commscope ruckus R560 Commscope ruckus R550 Commscope ruckus R650 Commscope ruckus T310s Ruckuswireless Ruckuswireless ruckus Unleashed Commscope ruckus T350d Commscope ruckus H350 Commscope |
|
References | () https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ - Exploit, Third Party Advisory | |
References | () https://support.ruckuswireless.com/security_bulletins/330 - Product | |
CPE | cpe:2.3:h:commscope:ruckus_r770:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r760:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_e510:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r550:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_c110:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r510:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r310:-:*:*:*:*:*:*:* cpe:2.3:a:ruckuswireless:ruckus_zonedirector:*:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r320:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t310n:-:*:*:*:*:*:*:* cpe:2.3:a:ruckuswireless:ruckus_unleashed:*:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t610:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t350d:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t350se:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r650:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t710s:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t310c:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:zonedirector_1200:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_h510:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t670:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r730:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_m510-jp:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r850:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r610:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t811-cm:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t710:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r710:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_m510:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_h350:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r670:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r560:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t310s:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t750:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_h550:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r350:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_h320:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t750se:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r720:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r350e:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r750:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t350c:-:*:*:*:*:*:*:* |
25 Jul 2025, 14:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
24 Jul 2025, 21:15
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
CWE | CWE-134 | |
Summary |
|
22 Jul 2025, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Jul 2025, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-07-21 15:15
Updated : 2025-08-05 17:18
NVD link : CVE-2025-46121
Mitre link : CVE-2025-46121
CVE.ORG link : CVE-2025-46121
JSON object : View
Products Affected
commscope
- ruckus_t610
- ruckus_h350
- ruckus_r850
- ruckus_r650
- ruckus_t350se
- ruckus_t750
- ruckus_h320
- ruckus_t310s
- ruckus_e510
- ruckus_r350
- zonedirector_1200
- ruckus_t350c
- ruckus_r320
- ruckus_r760
- ruckus_t750se
- ruckus_r560
- ruckus_r610
- ruckus_r750
- ruckus_t710
- ruckus_r730
- ruckus_t710s
- ruckus_r550
- ruckus_h550
- ruckus_r770
- ruckus_t310c
- ruckus_t670
- ruckus_t350d
- ruckus_r310
- ruckus_r720
- ruckus_r350e
- ruckus_r710
- ruckus_t310n
- ruckus_t811-cm
- ruckus_t811-cm_\(non-sfp\)
- ruckus_c110
- ruckus_m510-jp
- ruckus_r510
- ruckus_m510
- ruckus_h510
- ruckus_r670
ruckuswireless
- ruckus_unleashed
- ruckus_zonedirector
CWE
CWE-134
Use of Externally-Controlled Format String