Ruckus Wireless Virtual SmartZone (vSZ) and Network Director (RND) products are affected by multiple vulnerabilities that could allow attackers to compromise managed environments.
Ruckus Wireless, now Ruckus Networks, is a provider of networking devices for venues with internet-connected systems, including hospitals, schools, and smart cities.
The company’s vSZ control software supports the management of large-scale networks – up to 10,000 Ruckus access points – while RND enables the management of multiple vSZ clusters.
A fresh alert from Carnegie Mellon University’s CERT Coordination Center (CERT/CC) draws attention to nine flaws that Claroty Team82 found in the two appliances, which could lead to authentication bypass, arbitrary file reads, and remote code execution (RCE).
The vSZ application contains multiple hardcoded secrets, including JWT Signing Key and API keys, which could allow attackers to access the appliance with high privileges. The issue is tracked as CVE-2025-44957.
“Using HTTP headers and a valid API key, it is possible to logically bypass the authentication methods, providing administrator-level access to anyone that does this,” CERT/CC’s advisory reads.
Another bug in vSZ, tracked as CVE-2025-44962, could allow authenticated users to traverse directory paths and read sensitive files.
Furthermore, vSZ stores default public and private RSA keys for a built-in user with root privileges in the user’s SSH directory (CVE-2025-44954), providing anyone with knowledge of the keys with root-level permissions via SSH, which could potentially lead to unauthenticated RCE.
Two other RCE vulnerabilities in vSZ exist due to the lack of sanitization of a user-controlled parameter in an API route (CVE-2025-44960) and the lack of sanitization of a user-supplied IP address as an argument, which could be a command instead of the IP address (CVE-2025-44961).
RND too was found to use hardcoded secrets, including a JWT token, for the backend web server, thus allowing attackers to create a valid JWT, bypass authentication, and access the server with admin privileges. The flaw is tracked as CVE-2025-4496.
Additionally, RND was found to contain a built-in jailbreak for a jailed environment that supports device configuration without shell access to the underlying OS. A hardcoded password, tracked as CVE-2025-44955, provides access to the server with root privileges.
The RND platform also contains hardcoded SSH keys (CVE-2025-6243) for the built-in account ‘sshuser’, which has root privileges, and uses a hardcoded weak secret key (CVE-2025-44958) to encrypt passwords, while returning the passwords in plaintext.
“Impact of these vulnerabilities vary from information leakage to total compromise of the wireless environment managed by the affected products. […] Multiple vulnerabilities can be chained to create chained attacks that can allow the attacker to combine attacks to bypass any security controls that prevent only specific attacks,” CERT/CC notes.
According to CERT/CC, its attempts to contact Ruckus Wireless or its parent company Commscope have remained unanswered and no patches are available for these vulnerabilities. Users should limit access to the vulnerable products and contain them within isolated management networks.
SecurityWeek has emailed Commscope for a statement on these vulnerabilities and will update the article if the company responds.
Related: Exploits, Technical Details Released for CitrixBleed2 Vulnerability
Related: Vulnerability Exposed All Open VSX Repositories to Takeover
Related: Zyxel Firewall Vulnerability Again in Attacker Crosshairs
