Cyber Resilience

CVE-2025-46121

CriticalPublic PoC

Published: 21 July 2025

Published
21 July 2025
Modified
05 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0359 88.0th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46121 is a critical-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Ruckuswireless Ruckus Unleashed. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-46121 is a format-string vulnerability (CWE-134) in CommScope Ruckus Unleashed wireless controllers running versions prior to 200.15.6.212.14 and 200.17.7.0.139. The functions stamgr_cfg_adpt_addStaFavourite and stamgr_cfg_adpt_addStaIot pass an attacker-controlled client hostname directly to snprintf as the format argument, allowing format-specifier injection that can lead to arbitrary code execution on the controller.

A remote attacker can trigger the flaw by submitting a crafted request to the authenticated endpoint /admin/_conf.jsp. The same code path can also be reached without authentication or direct network access to the controller by spoofing the MAC address of a previously registered favourite station and supplying malicious format specifiers inside the DHCP hostname field, resulting in unauthenticated remote code execution with full system impact (CVSS 9.8).

The vendor has published security bulletin 330 and released fixed builds 200.15.6.212.14 and 200.17.7.0.139; administrators are advised to upgrade immediately and to restrict administrative access to the controller until patches are applied. The associated EPSS score remains low and flat at 0.0359 with no observed rise after disclosure.

EU & UK References

Vulnerability details

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending…

more

a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The format string vulnerability (CVE-2025-46121) in functions stamgr_cfg_adpt_addStaFavourite and stamgr_cfg_adpt_addStaIot enables unauthenticated arbitrary code execution via malicious DHCP hostname with spoofed MAC address, exploiting remote services on the Ruckus Unleashed controller.

CVEs Like This One

CVE-2025-46122Same product: Commscope Ruckus C110
CVE-2025-46120Same product: Commscope Ruckus C110
CVE-2025-46117Same product: Commscope Ruckus C110
CVE-2025-44961Same product: Commscope Ruckus C110
CVE-2025-44960Same product: Commscope Ruckus C110
CVE-2025-44957Same product: Commscope Ruckus C110
CVE-2025-64157Shared CWE-134
CVE-2025-40600Shared CWE-134
CVE-2026-3509Shared CWE-134
CVE-2026-33210Shared CWE-134

Affected Assets

ruckuswireless
ruckus unleashed
≤ 200.15.6.212.14 · 200.17 — 200.17.7.0.139
ruckuswireless
ruckus zonedirector
≤ 10.5.1.0.279

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-46121 by identifying, reporting, and applying vendor patches that correct the improper format string handling in stamgr_cfg_adpt_addStaFavourite and stamgr_cfg_adpt_addStaIot functions.

prevent

Validates information inputs such as client hostnames from DHCP requests and admin endpoints to block malicious format specifiers before they reach snprintf.

prevent

Requires device identification and authentication beyond spoofable MAC addresses, mitigating the unauthenticated exploit vector via spoofed favorite station and crafted DHCP hostname.

References