SB2025071034 - Multiple vulnerabilities in Ruckus Virtual SmartZone (vSZ) and Network Director (RND)

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025071034

SB2025071034 - Multiple vulnerabilities in Ruckus Virtual SmartZone (vSZ) and Network Director (RND)

Published: July 10, 2025 Updated: July 15, 2025

Security Bulletin ID SB2025071034
Severity
High
Patch available
NO
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 44% Medium 56%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Improper Authentication (CVE-ID: CVE-2025-44957)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to presence of hard-coded secrets in application code. A remote attacker can bypass authentication process and gain unauthorized access to the application.


2) Use of hard-coded credentials (CVE-ID: CVE-2025-44962)

The vulnerability allows a remote attacker to gain full access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Use of Default Cryptographic Key (CVE-ID: CVE-2025-44954)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of default cryptographic key for potentially critical functionality. A remote attacker with Ruckus device can execute arbitrary code on the system.


4) OS Command Injection (CVE-ID: CVE-2025-44960)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


5) Command Injection (CVE-ID: CVE-2025-44961)

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation. A remote user can pass specially crafted data to the application and execute arbitrary commands.


6) Use of hard-coded cryptographic key (CVE-ID: CVE-2025-44963)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of hard-coded cryptographic key. A remote user can create a valid JWT token and bypass authentication on the target system.


7) Use of Hard-coded Password (CVE-ID: CVE-2025-44955)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use a hard-coded password. A remote user can access the RND server with root permissions.


8) Use of hard-coded cryptographic key (CVE-ID: CVE-2025-6243)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of hard-coded SSH Public key. A remote user can access an RND server as sshuser.


9) Storing passwords in a recoverable format (CVE-ID: CVE-2025-44958)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to storing passwords in a recoverable format. A remote attacker can gain all the plaintext passwords and decrypt them.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References