CVE-2025-46122
Published: 21 July 2025
Summary
CVE-2025-46122 is a critical-severity Command Injection (CWE-77) vulnerability in Ruckuswireless Ruckus Unleashed. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 33.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the command injection vulnerability by requiring validation of attacker-controlled inputs to the `/admin/_cmdstat.jsp` diagnostics API endpoint before passing to the shell.
Mandates timely identification, reporting, and remediation of flaws like this command injection vulnerability through patching to fixed Ruckus Unleashed versions.
Limits the attack surface by enforcing least privilege, restricting high-privilege (PR:H) access to the vulnerable diagnostics endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection in the diagnostics API (/admin/_cmdstat.jsp) passes uncontrolled input to the shell, enabling arbitrary Unix shell command execution as root remotely, including on network devices targeted by MAC address.
NVD Description
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation, enabling a remote attacker to specify a target by MAC address…
more
and execute arbitrary commands as root.
Deeper analysisAI
CVE-2025-46122 is a command injection vulnerability (CWE-77) in CommScope Ruckus Unleashed wireless controllers, affecting versions prior to 200.15.6.212.14 and 200.17.7.0.139. The flaw resides in the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp`, which passes attacker-controlled input directly to the shell without proper validation. This allows a remote attacker to target a specific device by MAC address and execute arbitrary commands with root privileges. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and high-impact privileges escalation across scope.
An authenticated attacker with high privileges (PR:H) can exploit this vulnerability remotely over the network with no user interaction required. By crafting malicious input to the `/admin/_cmdstat.jsp` endpoint, the attacker specifies a target device's MAC address and injects arbitrary shell commands, achieving remote code execution (RCE) as root on that device. This grants full control over the targeted Ruckus Unleashed-managed access point or controller, potentially leading to complete compromise of the wireless network infrastructure.
Mitigation requires upgrading to Ruckus Unleashed versions 200.15.6.212.14 or later for the 200.15 branch, or 200.17.7.0.139 or later for the 200.17 branch, as detailed in the vendor's security bulletin at https://support.ruckuswireless.com/security_bulletins/330. Additional technical analysis is available from the discoverer at https://sector7.computest.nl/post/2025-07-ruckus-unleashed/. Organizations should audit access to diagnostics endpoints and restrict high-privilege accounts until patching is complete.
Details
- CWE(s)