Cyber Resilience

CVE-2025-46120

CriticalPublic PoC

Published: 21 July 2025

Published
21 July 2025
Modified
05 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0481 89.7th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46120 is a critical-severity Path Traversal (CWE-22) vulnerability in Ruckuswireless Ruckus Unleashed. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-46120 is a path-traversal vulnerability in the web interface of CommScope Ruckus Unleashed releases prior to 200.15.6.212.27 and 200.18.7.1.323, as well as Ruckus ZoneDirector releases prior to 10.5.1.0.282. The flaw permits the server to execute attacker-supplied EJS templates from outside the intended directories, which is tracked under CWE-22 and carries a CVSS 3.1 score of 9.8.

A remote unauthenticated attacker who can place a malicious template on the system, for example via FTP, can exploit the issue to escalate privileges and execute arbitrary template code on the controller.

Vendor advisories direct administrators to apply the fixed releases listed above; the referenced security bulletin from Ruckus Wireless and the detailed analysis at sector7.computest.nl both identify the affected firmware versions and the corresponding patched builds.

The associated EPSS score has remained flat at 0.0481 with no material increase after disclosure.

EU & UK References

Vulnerability details

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a…

more

remote unauthenticated attacker who can upload a template (e.g., via FTP) to escalate privileges and run arbitrary template code on the controller.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Why these techniques?

Path-traversal vulnerability in web interface allows unauthenticated remote attackers to execute arbitrary uploaded EJS templates outside permitted directories, enabling exploitation for privilege escalation (T1068), public-facing application exploitation (T1190), remote services exploitation (T1210), and template injection (T1221).

CVEs Like This One

CVE-2025-46121Same product: Commscope Ruckus C110
CVE-2025-46117Same product: Commscope Ruckus C110
CVE-2025-46122Same product: Commscope Ruckus C110
CVE-2025-44960Same product: Commscope Ruckus C110
CVE-2025-44957Same product: Commscope Ruckus C110
CVE-2025-44961Same product: Commscope Ruckus C110
CVE-2025-62630Shared CWE-22
CVE-2025-60786Shared CWE-22
CVE-2025-27590Shared CWE-22
CVE-2025-40898Shared CWE-22

Affected Assets

ruckuswireless
ruckus unleashed
≤ 200.15.6.212.14 · 200.17 — 200.17.7.0.139
ruckuswireless
ruckus zonedirector
≤ 10.5.1.0.279

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the path-traversal vulnerability by applying vendor patches to Ruckus Unleashed and ZoneDirector, preventing exploitation as recommended in the security bulletin.

prevent

Validates and sanitizes file path inputs in the web interface to block path-traversal attempts that enable execution of attacker-supplied EJS templates outside permitted directories.

prevent

Enforces logical access controls to restrict the web interface and server from accessing or executing templates outside authorized directories, limiting privilege escalation.

References