Cyber Resilience

CVE-2025-46122

CriticalPublic PoCRCE

Published: 21 July 2025

Published
21 July 2025
Modified
05 August 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0139 80.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46122 is a critical-severity Command Injection (CWE-77) vulnerability in Ruckuswireless Ruckus Unleashed. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 19.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-46122 affects CommScope Ruckus Unleashed wireless controller software prior to versions 200.15.6.212.14 and 200.17.7.0.139. The flaw is a command-injection issue (CWE-77) in the authenticated diagnostics endpoint /admin/_cmdstat.jsp, which passes unsanitized attacker-supplied input directly to the system shell and permits specification of a target device by MAC address.

An attacker who already possesses administrative credentials on the management interface can exploit the endpoint over the network to run arbitrary operating-system commands with root privileges. The CVSS 9.1 score reflects the combination of network attack vector, low complexity, and full impact on confidentiality, integrity, and availability within a changed security scope.

Vendor guidance and the associated security bulletin direct administrators to upgrade to the fixed releases listed above; the bulletin also contains additional hardening recommendations for environments that cannot immediately apply the patches. The EPSS score has remained flat at 0.0139 with no observed increase after disclosure.

EU & UK References

Vulnerability details

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation, enabling a remote attacker to specify a target by MAC address…

more

and execute arbitrary commands as root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Authenticated command injection in the diagnostics API (/admin/_cmdstat.jsp) passes uncontrolled input to the shell, enabling arbitrary Unix shell command execution as root remotely, including on network devices targeted by MAC address.

CVEs Like This One

CVE-2025-46121Same product: Commscope Ruckus C110
CVE-2025-46120Same product: Commscope Ruckus C110
CVE-2025-46117Same product: Commscope Ruckus C110
CVE-2025-44960Same product: Commscope Ruckus C110
CVE-2025-66399Shared CWE-77
CVE-2025-57105Shared CWE-77
CVE-2026-20147Shared CWE-77
CVE-2025-44961Same product: Commscope Ruckus C110
CVE-2026-35682Shared CWE-77
CVE-2025-67089Shared CWE-77

Affected Assets

ruckuswireless
ruckus unleashed
≤ 200.15.6.212.14 · 200.17 — 200.17.7.0.139
ruckuswireless
ruckus zonedirector
≤ 10.5.1.0.279

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the command injection vulnerability by requiring validation of attacker-controlled inputs to the `/admin/_cmdstat.jsp` diagnostics API endpoint before passing to the shell.

prevent

Mandates timely identification, reporting, and remediation of flaws like this command injection vulnerability through patching to fixed Ruckus Unleashed versions.

prevent

Limits the attack surface by enforcing least privilege, restricting high-privilege (PR:H) access to the vulnerable diagnostics endpoint.

References