#VU25252 Improper Authentication in Ruckus IoT vRIoT Server - CVE-2020-8005
Published: February 11, 2020
Vulnerability identifier: #VU25252
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2020-8005
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Ruckus IoT vRIoT Server
Ruckus IoT vRIoT Server
Software vendor:
Ruckus Networks
Ruckus Networks
Description
The vulnerability allows a remote attacker to compromise the affected device.
The vulnerability exists due to absent authentication at multiple API endpoint. A remote non-authenticated attacker can use the exposed APIs to download or delete system backups, manipulate modules configuration, reset the device.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected device.
Examples of exposed APIs without authentication:
/service/init/service/v1/db/restore/service/v1/db/backup/service/upgrade/flow/module//reset
Remediation
Install updates from vendor's website.