CVE-2023-25717
Published: 13 February 2023
Summary
CVE-2023-25717 is a critical-severity Code Injection (CWE-94) vulnerability in Ruckuswireless Ruckus Wireless Admin. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Ruckus Wireless Admin through version 10.4 contains a remote code execution vulnerability (CWE-94) that permits unauthenticated command injection through specially crafted HTTP GET requests to the login endpoint, such as /forms/doLogin with a login_username parameter containing shell metacharacters and a command substring. The flaw carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated attacker can send a single crafted GET request to achieve arbitrary command execution on the affected wireless administration interface, resulting in complete system compromise without any prior authentication.
Ruckus has published security bulletin 315 addressing the issue, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, indicating that official remediation guidance and patches are available for supported releases.
The EPSS score remains persistently high, with a current value of 0.9424 and a recorded peak of 0.9671, consistent with confirmed in-the-wild exploitation activity tracked by CISA.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-29627
Vulnerability details
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.
- CWE(s)
- KEV Date Added
- 12 May 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs to the /forms/doLogin endpoint to reject command-injection payloads such as $(curl).
Enforces authentication and access-control decisions on the admin login form so that unauthenticated requests cannot reach code-execution paths.
Mandates prompt application of vendor patches or mitigations listed in Ruckus bulletin 315 to eliminate the flawed login-form code.