Improper Authentication in Ruckus IoT vRIoT Server - CVE-2020-8005
Published: February 11, 2020
Vulnerability identifier: #VU25252
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2020-8005
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Ruckus Networks
Affected software:
Ruckus IoT vRIoT Server
Ruckus IoT vRIoT Server
Detailed vulnerability description
The vulnerability allows a remote attacker to compromise the affected device.
The vulnerability exists due to absent authentication at multiple API endpoint. A remote non-authenticated attacker can use the exposed APIs to download or delete system backups, manipulate modules configuration, reset the device.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected device.
Examples of exposed APIs without authentication:
/service/init/service/v1/db/restore/service/v1/db/backup/service/upgrade/flow/module//reset
How to mitigate CVE-2020-8005
Install updates from vendor's website.