CVE-2025-46121
Published: 21 July 2025
Summary
CVE-2025-46121 is a critical-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Ruckuswireless Ruckus Unleashed. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-46121 is a format-string vulnerability (CWE-134) in CommScope Ruckus Unleashed wireless controllers running versions prior to 200.15.6.212.14 and 200.17.7.0.139. The functions stamgr_cfg_adpt_addStaFavourite and stamgr_cfg_adpt_addStaIot pass an attacker-controlled client hostname directly to snprintf as the format argument, allowing format-specifier injection that can lead to arbitrary code execution on the controller.
A remote attacker can trigger the flaw by submitting a crafted request to the authenticated endpoint /admin/_conf.jsp. The same code path can also be reached without authentication or direct network access to the controller by spoofing the MAC address of a previously registered favourite station and supplying malicious format specifiers inside the DHCP hostname field, resulting in unauthenticated remote code execution with full system impact (CVSS 9.8).
The vendor has published security bulletin 330 and released fixed builds 200.15.6.212.14 and 200.17.7.0.139; administrators are advised to upgrade immediately and to restrict administrative access to the controller until patches are applied. The associated EPSS score remains low and flat at 0.0359 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22107
Vulnerability details
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending…
more
a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The format string vulnerability (CVE-2025-46121) in functions stamgr_cfg_adpt_addStaFavourite and stamgr_cfg_adpt_addStaIot enables unauthenticated arbitrary code execution via malicious DHCP hostname with spoofed MAC address, exploiting remote services on the Ruckus Unleashed controller.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-46121 by identifying, reporting, and applying vendor patches that correct the improper format string handling in stamgr_cfg_adpt_addStaFavourite and stamgr_cfg_adpt_addStaIot functions.
Validates information inputs such as client hostnames from DHCP requests and admin endpoints to block malicious format specifiers before they reach snprintf.
Requires device identification and authentication beyond spoofable MAC addresses, mitigating the unauthenticated exploit vector via spoofed favorite station and crafted DHCP hostname.