CVE-2025-46121
Published: 21 July 2025
Summary
CVE-2025-46121 is a critical-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Ruckuswireless Ruckus Unleashed. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 17.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-46121 by identifying, reporting, and applying vendor patches that correct the improper format string handling in stamgr_cfg_adpt_addStaFavourite and stamgr_cfg_adpt_addStaIot functions.
Validates information inputs such as client hostnames from DHCP requests and admin endpoints to block malicious format specifiers before they reach snprintf.
Requires device identification and authentication beyond spoofable MAC addresses, mitigating the unauthenticated exploit vector via spoofed favorite station and crafted DHCP hostname.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The format string vulnerability (CVE-2025-46121) in functions stamgr_cfg_adpt_addStaFavourite and stamgr_cfg_adpt_addStaIot enables unauthenticated arbitrary code execution via malicious DHCP hostname with spoofed MAC address, exploiting remote services on the Ruckus Unleashed controller.
NVD Description
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending…
more
a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.
Deeper analysisAI
CVE-2025-46121 is a format string vulnerability (CWE-134) affecting CommScope Ruckus Unleashed wireless controllers in versions prior to 200.15.6.212.14 and 200.17.7.0.139. The flaw resides in the functions stamgr_cfg_adpt_addStaFavourite and stamgr_cfg_adpt_addStaIot, which pass a client hostname directly to snprintf as the format string, enabling attackers to supply malicious format specifiers.
A remote attacker can exploit this vulnerability in two ways. With authentication, they can send a crafted request to the /admin/_conf.jsp endpoint. Without authentication or direct network access to the controller, they can spoof the MAC address of a favorite station and embed malicious format specifiers in the DHCP hostname field. Successful exploitation leads to unauthenticated format-string processing and arbitrary code execution on the controller. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Ruckus Wireless security bulletin 330 and the Sector 7 advisory detail the vulnerability and recommend mitigation by updating to Ruckus Unleashed versions 200.15.6.212.14 or 200.17.7.0.139, which address the improper format string handling.
Details
- CWE(s)