Cyber Resilience

CVE-2025-46123

HighPublic PoC

Published: 21 July 2025

Published
21 July 2025
Modified
05 August 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0359 88.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46123 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Ruckuswireless Ruckus Unleashed. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a format-string issue (CWE-134) affecting the authenticated configuration endpoint /admin/_conf.jsp in CommScope Ruckus Unleashed releases prior to 200.15.6.212.14 and 200.17.7.0.139, as well as Ruckus ZoneDirector releases prior to 10.5.1.0.279. The endpoint writes the Wi-Fi guest password to memory via snprintf, treating the attacker-supplied value directly as the format string and thereby enabling uncontrolled format-string processing that leads to remote code execution on the controller. The flaw carries a CVSS 3.1 base score of 7.2.

An authenticated administrator with network access can exploit the endpoint by submitting a crafted guest password value. Successful exploitation grants the attacker the ability to execute arbitrary code on the wireless controller, resulting in full compromise of confidentiality, integrity, and availability.

Vendor guidance published in the Ruckus security bulletin and the associated technical report directs administrators to upgrade Unleashed and ZoneDirector installations to the corrected releases that eliminate the unsafe snprintf usage.

The EPSS score stands at 0.0359 with no material change from its recorded peak.

EU & UK References

Vulnerability details

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest password to memory with snprintf using the attacker-supplied value as…

more

the format string; a crafted password therefore triggers uncontrolled format-string processing and enables remote code execution on the controller.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The format string vulnerability (CVE-2025-46123) in the authenticated configuration endpoint /admin/_conf.jsp, exploitable via crafted Wi-Fi guest password (including via DHCP request from guest WiFi), enables remote code execution through exploitation of a remote service.

Affected Assets

ruckuswireless
ruckus unleashed
≤ 200.15.6.212.14 · 200.17 — 200.17.7.0.139
ruckuswireless
ruckus zonedirector
≤ 10.5.1.0.279

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References