Cyber Resilience

CVE-2023-25717

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 13 February 2023

Published
13 February 2023
Modified
03 November 2025
KEV Added
12 May 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9424 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-25717 is a critical-severity Code Injection (CWE-94) vulnerability in Ruckuswireless Ruckus Wireless Admin. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Ruckus Wireless Admin through version 10.4 contains a remote code execution vulnerability (CWE-94) that permits unauthenticated command injection through specially crafted HTTP GET requests to the login endpoint, such as /forms/doLogin with a login_username parameter containing shell metacharacters and a command substring. The flaw carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated attacker can send a single crafted GET request to achieve arbitrary command execution on the affected wireless administration interface, resulting in complete system compromise without any prior authentication.

Ruckus has published security bulletin 315 addressing the issue, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, indicating that official remediation guidance and patches are available for supported releases.

The EPSS score remains persistently high, with a current value of 0.9424 and a recorded peak of 0.9671, consistent with confirmed in-the-wild exploitation activity tracked by CISA.

EU & UK References

Vulnerability details

Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.

CWE(s)
KEV Date Added
12 May 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ruckuswireless
ruckus wireless admin
≤ 10.4 · ≤ 10.4 · ≤ 10.4
ruckuswireless
smartzone ap
≤ 6.1.0.0.9240 · ≤ 5.2.2.0.2064 · ≤ 3.6.2.0.795
commscope
ruckus smartzone firmware
6.1.0.0.935 · ≤ 5.2.1.3 · ≤ 5.2.1.3.1695

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs to the /forms/doLogin endpoint to reject command-injection payloads such as $(curl).

prevent

Enforces authentication and access-control decisions on the admin login form so that unauthenticated requests cannot reach code-execution paths.

prevent

Mandates prompt application of vendor patches or mitigations listed in Ruckus bulletin 315 to eliminate the flawed login-form code.

References