CVE-2025-46121

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:ruckuswireless:ruckus_unleashed:*:*:*:*:*:*:*:*
cpe:2.3:a:ruckuswireless:ruckus_unleashed:*:*:*:*:*:*:*:*
cpe:2.3:a:ruckuswireless:ruckus_zonedirector:*:*:*:*:*:*:*:*
OR cpe:2.3:h:commscope:ruckus_c110:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_e510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h320:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h350:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h550:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_m510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_m510-jp:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r310:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r320:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r350:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r350e:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r550:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r560:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r610:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r650:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r670:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r710:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r720:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r730:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r750:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r760:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r770:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r850:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310c:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310n:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310s:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350c:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350d:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350se:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t610:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t670:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t710:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t710s:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t750:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t750se:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t811-cm:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:zonedirector_1200:-:*:*:*:*:*:*:*

History

05 Aug 2025, 17:18

Type Values Removed Values Added
First Time Commscope ruckus R850
Commscope ruckus R320
Commscope ruckus R310
Commscope ruckus T710s
Commscope ruckus T670
Commscope ruckus C110
Commscope zonedirector 1200
Commscope ruckus R730
Commscope ruckus R350e
Commscope ruckus T710
Commscope ruckus T350se
Commscope ruckus M510
Commscope ruckus T811-cm
Commscope ruckus R760
Commscope ruckus H510
Commscope ruckus R750
Commscope ruckus H320
Commscope ruckus R610
Commscope ruckus T610
Commscope ruckus T310c
Commscope ruckus T750se
Commscope ruckus R510
Commscope ruckus T310n
Commscope ruckus T350c
Commscope ruckus M510-jp
Commscope ruckus T750
Commscope ruckus R670
Commscope ruckus H550
Commscope ruckus R770
Commscope ruckus E510
Ruckuswireless ruckus Zonedirector
Commscope ruckus R350
Commscope ruckus T811-cm \(non-sfp\)
Commscope ruckus R720
Commscope ruckus R710
Commscope ruckus R560
Commscope ruckus R550
Commscope ruckus R650
Commscope ruckus T310s
Ruckuswireless
Ruckuswireless ruckus Unleashed
Commscope ruckus T350d
Commscope ruckus H350
Commscope
References () https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ - () https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ - Exploit, Third Party Advisory
References () https://support.ruckuswireless.com/security_bulletins/330 - () https://support.ruckuswireless.com/security_bulletins/330 - Product
CPE cpe:2.3:h:commscope:ruckus_r770:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r760:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_e510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r550:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_c110:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r310:-:*:*:*:*:*:*:*
cpe:2.3:a:ruckuswireless:ruckus_zonedirector:*:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r320:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310n:-:*:*:*:*:*:*:*
cpe:2.3:a:ruckuswireless:ruckus_unleashed:*:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t610:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350d:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350se:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r650:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t710s:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310c:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:zonedirector_1200:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t670:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r730:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_m510-jp:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r850:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r610:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t811-cm:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t710:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r710:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_m510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h350:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r670:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r560:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310s:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t750:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h550:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r350:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h320:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t750se:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r720:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r350e:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r750:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350c:-:*:*:*:*:*:*:*

25 Jul 2025, 14:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.2
v2 : unknown
v3 : 9.8

24 Jul 2025, 21:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.2
CWE CWE-134
Summary
  • (es) Se descubrió un problema en CommScope Ruckus Unleashed anterior a 200.15.6.212.14 y 200.17.7.0.139, donde las funciones `stamgr_cfg_adpt_addStaFavourite` y `stamgr_cfg_adpt_addStaIot` pasan el nombre de host de un cliente directamente a snprintf como cadena de formato. Un atacante remoto puede explotar esta vulnerabilidad enviando una solicitud manipulada al endpoint autenticado `/admin/_conf.jsp`, o sin autenticación y sin acceso directo al controlador de red, falsificando la dirección MAC de una estación favorita e incrustando especificadores de formato maliciosos en el campo de nombre de host DHCP, lo que resulta en el procesamiento no autenticado de la cadena de formato y la ejecución de código arbitrario en el controlador.

22 Jul 2025, 17:15

Type Values Removed Values Added
References
  • {'url': 'http://commscope.com', 'source': 'cve@mitre.org'}

21 Jul 2025, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-07-21 15:15

Updated : 2025-08-05 17:18


NVD link : CVE-2025-46121

Mitre link : CVE-2025-46121

CVE.ORG link : CVE-2025-46121


JSON object : View

Products Affected

commscope

  • ruckus_t610
  • ruckus_h350
  • ruckus_r850
  • ruckus_r650
  • ruckus_t350se
  • ruckus_t750
  • ruckus_h320
  • ruckus_t310s
  • ruckus_e510
  • ruckus_r350
  • zonedirector_1200
  • ruckus_t350c
  • ruckus_r320
  • ruckus_r760
  • ruckus_t750se
  • ruckus_r560
  • ruckus_r610
  • ruckus_r750
  • ruckus_t710
  • ruckus_r730
  • ruckus_t710s
  • ruckus_r550
  • ruckus_h550
  • ruckus_r770
  • ruckus_t310c
  • ruckus_t670
  • ruckus_t350d
  • ruckus_r310
  • ruckus_r720
  • ruckus_r350e
  • ruckus_r710
  • ruckus_t310n
  • ruckus_t811-cm
  • ruckus_t811-cm_\(non-sfp\)
  • ruckus_c110
  • ruckus_m510-jp
  • ruckus_r510
  • ruckus_m510
  • ruckus_h510
  • ruckus_r670

ruckuswireless

  • ruckus_unleashed
  • ruckus_zonedirector
CWE
CWE-134

Use of Externally-Controlled Format String