Main Vulnerability Database Vulnerabilities #VU25252

#VU25252 Improper Authentication in Ruckus IoT vRIoT Server - CVE-2020-8005

Published: February 11, 2020

Vulnerability identifier: #VU25252

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2020-8005

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Ruckus IoT vRIoT Server

Software vendor:
Ruckus Networks

Description

The vulnerability allows a remote attacker to compromise the affected device.

The vulnerability exists due to absent authentication at multiple API endpoint. A remote non-authenticated attacker can use the exposed APIs to download or delete system backups, manipulate modules configuration, reset the device.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected device.

Examples of exposed APIs without authentication:

/service/init
/service/v1/db/restore
/service/v1/db/backup
/service/upgrade/flow
/module/
/reset

Remediation

Install updates from vendor's website.

#VU25252 Improper Authentication in Ruckus IoT vRIoT Server - CVE-2020-8005

Description

Remediation

External links

Please verify you're human