CVE-2025-46123
Published: 21 July 2025
Summary
CVE-2025-46123 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Ruckuswireless Ruckus Unleashed. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a format-string issue (CWE-134) affecting the authenticated configuration endpoint /admin/_conf.jsp in CommScope Ruckus Unleashed releases prior to 200.15.6.212.14 and 200.17.7.0.139, as well as Ruckus ZoneDirector releases prior to 10.5.1.0.279. The endpoint writes the Wi-Fi guest password to memory via snprintf, treating the attacker-supplied value directly as the format string and thereby enabling uncontrolled format-string processing that leads to remote code execution on the controller. The flaw carries a CVSS 3.1 base score of 7.2.
An authenticated administrator with network access can exploit the endpoint by submitting a crafted guest password value. Successful exploitation grants the attacker the ability to execute arbitrary code on the wireless controller, resulting in full compromise of confidentiality, integrity, and availability.
Vendor guidance published in the Ruckus security bulletin and the associated technical report directs administrators to upgrade Unleashed and ZoneDirector installations to the corrected releases that eliminate the unsafe snprintf usage.
The EPSS score stands at 0.0359 with no material change from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22105
Vulnerability details
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest password to memory with snprintf using the attacker-supplied value as…
more
the format string; a crafted password therefore triggers uncontrolled format-string processing and enables remote code execution on the controller.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The format string vulnerability (CVE-2025-46123) in the authenticated configuration endpoint /admin/_conf.jsp, exploitable via crafted Wi-Fi guest password (including via DHCP request from guest WiFi), enables remote code execution through exploitation of a remote service.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.