Multiple vulnerabilities in Ruckus Virtual SmartZone (vSZ) and Network Director (RND)



| Updated: 2025-07-15
Risk High
Patch available NO
Number of vulnerabilities 9
CVE-ID CVE-2025-44957
CVE-2025-44962
CVE-2025-44954
CVE-2025-44960
CVE-2025-44961
CVE-2025-44963
CVE-2025-44955
CVE-2025-6243
CVE-2025-44958
CWE-ID CWE-287
CWE-798
CWE-1394
CWE-78
CWE-77
CWE-321
CWE-259
CWE-257
Exploitation vector Network
Public exploit N/A
Vulnerable software
Virtual SmartZone (vSZ)
Other software / Other software solutions

Network Director (RND)
Other software / Other software solutions

Vendor Ruckus Networks

Security Bulletin

This security bulletin contains information about 9 vulnerabilities.

1) Improper Authentication

EUVDB-ID: #VU112717

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-44957

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to presence of hard-coded secrets in application code. A remote attacker can bypass authentication process and gain unauthorized access to the application.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Virtual SmartZone (vSZ): All versions

CPE2.3 External links

https://www.kb.cert.org/vuls/id/613753
https://support.ruckuswireless.com/security_bulletins/333


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use of hard-coded credentials

EUVDB-ID: #VU112718

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-44962

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Virtual SmartZone (vSZ): All versions

CPE2.3 External links

https://www.kb.cert.org/vuls/id/613753
https://support.ruckuswireless.com/security_bulletins/333


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use of Default Cryptographic Key

EUVDB-ID: #VU112719

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-44954

CWE-ID: CWE-1394 - Use of Default Cryptographic Key

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of default cryptographic key for potentially critical functionality. A remote attacker with Ruckus device can execute arbitrary code on the system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Virtual SmartZone (vSZ): All versions

CPE2.3 External links

https://www.kb.cert.org/vuls/id/613753
https://support.ruckuswireless.com/security_bulletins/333


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) OS Command Injection

EUVDB-ID: #VU112720

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-44960

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Virtual SmartZone (vSZ): All versions

CPE2.3 External links

https://www.kb.cert.org/vuls/id/613753
https://support.ruckuswireless.com/security_bulletins/333


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Command Injection

EUVDB-ID: #VU112721

Risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-44961

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation. A remote user can pass specially crafted data to the application and execute arbitrary commands.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Virtual SmartZone (vSZ): All versions

CPE2.3 External links

https://www.kb.cert.org/vuls/id/613753
https://support.ruckuswireless.com/security_bulletins/333


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Use of hard-coded cryptographic key

EUVDB-ID: #VU112722

Risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-44963

CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of hard-coded cryptographic key. A remote user can create a valid JWT token and bypass authentication on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Network Director (RND): All versions

CPE2.3 External links

https://www.kb.cert.org/vuls/id/613753
https://support.ruckuswireless.com/security_bulletins/333


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Use of Hard-coded Password

EUVDB-ID: #VU112723

Risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-44955

CWE-ID: CWE-259 - Use of Hard-coded Password

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use a hard-coded password. A remote user can access the RND server with root permissions.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Network Director (RND): All versions

CPE2.3 External links

https://www.kb.cert.org/vuls/id/613753
https://support.ruckuswireless.com/security_bulletins/333


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Use of hard-coded cryptographic key

EUVDB-ID: #VU112725

Risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-6243

CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of hard-coded SSH Public key. A remote user can access an RND server as sshuser.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Network Director (RND): All versions

CPE2.3 External links

https://www.kb.cert.org/vuls/id/613753
https://support.ruckuswireless.com/security_bulletins/333


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Storing passwords in a recoverable format

EUVDB-ID: #VU112726

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-44958

CWE-ID: CWE-257 - Storing Passwords in a Recoverable Format

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to storing passwords in a recoverable format. A remote attacker can gain all the plaintext passwords and decrypt them.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Network Director (RND): All versions

CPE2.3 External links

https://www.kb.cert.org/vuls/id/613753
https://support.ruckuswireless.com/security_bulletins/333


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###