CVE-2025-67305

CriticalPublic PoC

Published: 19 February 2026

Published

19 February 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 24.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67305 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Commscope Ruckus Network Director. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to External Remote Services (T1133) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Requires management of authenticators such as SSH keys, preventing their hardcoding and mandating unique, secure generation and handling per deployment.

SC-12 Cryptographic Key Establishment and Management good match

prevent

Establishes and manages cryptographic keys for system cryptography, directly addressing and prohibiting identical hardcoded SSH keys across all deployments.

CM-6 Configuration Settings partial match

prevent

Enforces and documents secure configuration settings for components, mitigating insecure appliance configurations that embed hardcoded SSH keys.

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

attack.mitre.org →

T1078.003 Local Accounts Stealth

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1552.004 Private Keys Credential Access

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Hardcoded SSH private keys enable external SSH access (T1133) using a valid local account (T1078.003) via known unsecured credentials (T1552.004), directly leading to DB/web admin access and RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In RUCKUS Network Director (RND) < 4.5.0.56, the OVA appliance contains hardcoded SSH keys for the postgres user. These keys are identical across all deployments, allowing an attacker with network access to authenticate via SSH without a password. Once authenticated,…

the attacker can access the PostgreSQL database with superuser privileges, create administrative users for the web interface, and potentially escalate privileges further.

Deeper analysisAI

CVE-2025-67305 is a critical vulnerability in RUCKUS Network Director (RND) versions prior to 4.5.0.56, specifically affecting the OVA appliance. The issue stems from hardcoded SSH keys for the postgres user, which are identical across all deployments. This flaw, published on 2026-02-19, is categorized under CWE-321: Use of Hard-coded Cryptographic Key and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

An unauthenticated attacker with network access to the RND appliance can exploit this vulnerability by using the publicly known hardcoded SSH keys to authenticate via SSH without a password. Once authenticated, the attacker gains superuser privileges on the PostgreSQL database, allowing them to create administrative users for the web interface and potentially escalate privileges further.

Advisories from Marlink Cyber (https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-012-ruckus-nd-hardcoded-ssh-keys-rce.md) and CommScope (https://webresources.commscope.com/download/assets/RUCKUS+Network+Director%3A+Critical+Security+Bypass+Vulnerability+Leading+to+Remote+Code+Execution+and/3adeb3acb69211f08a46b6532db37357) provide further details on this critical security bypass vulnerability, including mitigation guidance such as upgrading to RND 4.5.0.56 or later.