MidnightBSD

Advisories for commscope

CVE-2014-3778 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in goform/RgDdns in ARRIS (formerly Motorola) SBG901 SURFboard Wireless Cable Modem allow remote attackers to hijack the authentication of administrators for requests that (1) change the dns service via the DdnsService parameter, (2) change the username via the DdnsUserName parameter, (3) change the password via the DdnsPassword parameter, or (4) change the host name via the DdnsHostName parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
commscope arris_sbg901 -
CVE-2017-16836 MEDIUM

Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse 10.0.59.SIP.PC20.CT software allow Unauthenticated Stored XSS via the actionHandler/ajax_managed_services.php service parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
commscope arris_tg1682g_firmware 10.0.59.sip.pc20.ct
CVE-2017-9476 LOW

The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices makes it easy for remote attackers to determine the hidden SSID and passphrase for a Home Security Wi-Fi network.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-200,

Products Affected

Vendor Product Version
commscope arris_tg1682g_firmware 10.0.132.sip.pc20.ct
cisco dpc3939_firmware dpc3939-p20-18-v303r20421746-170221a-cmcst
cisco dpc3939_firmware dpc3939-p20-18-v303r20421733-160420a-cmcst
commscope arris_tg1682g_firmware tg1682_2.2p7s2_prod_sey
CVE-2017-9489 MEDIUM

The Comcast firmware on Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST) devices allows configuration changes via CSRF.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
cisco dpc3939b_firmware dpc3939b-v303r204217-150321a-cmcst
commscope arris_tg1682g_firmware 10.0.132.sip.pc20.ct
commscope arris_tg1682g_firmware tg1682_2.2p7s2_prod_sey
CVE-2017-9491 MEDIUM

The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST); Cisco DPC3941T (firmware version DPC3941_2.5s3_PROD_sey); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices does not set the secure flag for cookies in an https session to an administration application, which makes it easier for remote attackers to capture these cookies by intercepting their transmission within an http session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
cisco dpc3939b_firmware dpc3939b-v303r204217-150321a-cmcst
commscope arris_tg1682g_firmware 10.0.132.sip.pc20.ct
cisco dpc3939_firmware dpc3939-p20-18-v303r20421746-170221a-cmcst
cisco dpc3939_firmware dpc3939-p20-18-v303r20421733-160420a-cmcst
cisco dpc3941t_firmware dpc3941_2.5s3_prod_sey
commscope arris_tg1682g_firmware tg1682_2.2p7s2_prod_sey
CVE-2017-9492 MEDIUM

The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST); Cisco DPC3941T (firmware version DPC3941_2.5s3_PROD_sey); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices does not include the HTTPOnly flag in a Set-Cookie header for administration applications, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
cisco dpc3939b_firmware dpc3939b-v303r204217-150321a-cmcst
commscope arris_tg1682g_firmware 10.0.132.sip.pc20.ct
cisco dpc3939_firmware dpc3939-p20-18-v303r20421746-170221a-cmcst
cisco dpc3939_firmware dpc3939-p20-18-v303r20421733-160420a-cmcst
cisco dpc3941t_firmware dpc3941_2.5s3_prod_sey
commscope arris_tg1682g_firmware tg1682_2.2p7s2_prod_sey
CVE-2017-9521 HIGH

The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST); Cisco DPC3941T (firmware version DPC3941_2.5s3_PROD_sey); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices allows remote attackers to execute arbitrary code via a specific (but unstated) exposed service. NOTE: the scope of this CVE does NOT include the concept of "Unnecessary Services" in general; the scope is only a single service that is unnecessarily exposed, leading to remote code execution. The details of that service might be disclosed at a later date.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
cisco dpc3939b_firmware dpc3939b-v303r204217-150321a-cmcst
commscope arris_tg1682g_firmware 10.0.132.sip.pc20.ct
cisco dpc3939_firmware dpc3939-p20-18-v303r20421746-170221a-cmcst
cisco dpc3939_firmware dpc3939-p20-18-v303r20421733-160420a-cmcst
cisco dpc3941t_firmware dpc3941_2.5s3_prod_sey
commscope arris_tg1682g_firmware tg1682_2.2p7s2_prod_sey
CVE-2018-10989 LOW

Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices are distributed by some ISPs with a default password of "password" for the admin account that is used over an unencrypted http://192.168.0.1 connection, which might allow remote attackers to bypass intended access restrictions by leveraging access to the local network. NOTE: one or more user's guides distributed by ISPs state "At a minimum, you should set a login password."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.6 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.7 5.9

CVSS 2.0

Severity: LOW

Problem Type: CWE-1188,

Products Affected

Vendor Product Version
commscope arris_tg1682g_firmware 9.1.103j6
CVE-2018-10990 HIGH

On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 1.3 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-613,

Products Affected

Vendor Product Version
commscope arris_tg1682g_firmware 9.1.103j6
CVE-2018-17555 MEDIUM

The web component on ARRIS TG2492LG-NA 061213 devices allows remote attackers to obtain sensitive information via the /snmpGet oids parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
commscope arris_tg2492lg-na_firmware 061213
CVE-2018-20383 MEDIUM

ARRIS DG950A 7.10.145 and DG950S 7.10.145.EURO devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
commscope arris_dg950a_firmware 7.10.145
arris dg950s_firmware 7.10.145.euro
CVE-2018-20386 MEDIUM

ARRIS SBG6580-2 D30GW-SEAEAGLE-1.5.2.5-GA-00-NOSH devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
commscope arris_sbg6580-2_firmware d30gw-seaeagle-1.5.2.5-ga-00-nosh
CVE-2019-15805 HIGH

CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/login.html. Any user connected to the Wi-Fi can exploit this.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-326,

Products Affected

Vendor Product Version
commscope tr4400_firmware *
CVE-2019-15806 HIGH

CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative interface because they include the current base64 encoded password within http://192.168.1.1/basic_sett.html. Any user connected to the Wi-Fi can exploit this.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-326,

Products Affected

Vendor Product Version
commscope tr4400_firmware *
CVE-2020-26878 HIGH

Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
commscope ruckus_vriot *
CVE-2020-26879 HIGH

Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
commscope ruckus_vriot *
CVE-2020-7983 MEDIUM

A CSRF issue in login.asp on Ruckus R500 3.4.2.0.384 devices allows remote attackers to access the panel or conduct SSRF attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
commscope ruckus_zoneflex_r500_firmware 3.4.2.0.384
CVE-2020-8033 MEDIUM

Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Device Name field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
commscope ruckus_zoneflex_r500_firmware 3.4.2.0.384
CVE-2020-8830 MEDIUM

CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-918,

Products Affected

Vendor Product Version
commscope ruckus_zoneflex_r500_firmware -
CVE-2020-9476 MEDIUM

ARRIS TG1692A devices allow remote attackers to discover the administrator login name and password by reading the /login page and performing base64 decoding.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-326,

Products Affected

Vendor Product Version
commscope arris_tg1692a_firmware 9.1.103de2
CVE-2021-20119 MEDIUM

The password change utility for the Arris SurfBoard SB8200 can have safety measures bypassed that allow any logged-in user to change the administrator password.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
commscope arris_surfboard_sb8200_firmware ab01.02.053.01_112320_193.0a.nsh
CVE-2021-20120 MEDIUM

The administration web interface for the Arris Surfboard SB8200 lacks any protections against cross-site request forgery attacks. This means that an attacker could make configuration changes (such as changing the administrative password) without the consent of the user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
commscope arris_surfboard_sb8200_firmware ab01.02.053.01_112320_193.0a.nsh
CVE-2021-33215 MEDIUM

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. The API allows Directory Traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
commscope ruckus_iot_controller *
CVE-2021-33216 HIGH

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
commscope ruckus_iot_controller *
CVE-2021-33217 HIGH

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. The Web Application allows Arbitrary Read/Write actions by authenticated users. The API allows an HTTP POST of arbitrary content into any file on the filesystem as root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
commscope ruckus_iot_controller *
CVE-2021-33218 HIGH

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Hard-coded System Passwords that provide shell access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
commscope ruckus_iot_controller *
CVE-2021-33219 HIGH

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Hard-coded Web Application Administrator Passwords for the admin and nplus1user accounts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
commscope ruckus_iot_controller *
CVE-2021-33220 MEDIUM

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. Hard-coded API Keys exist.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
commscope ruckus_iot_controller *
CVE-2021-33221 HIGH

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. There are Unauthenticated API Endpoints.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,

Products Affected

Vendor Product Version
commscope ruckus_iot_controller *
CVE-2021-41552 MEDIUM

CommScope SURFboard SBG6950AC2 9.1.103AA23 devices allow Command Injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-77,

Products Affected

Vendor Product Version
commscope arris_surfboard_sbg7580ac_firmware -
commscope arris_surfboard_sbg7400ac2_firmware -
commscope arris_surfboard_sbg10_firmware -
commscope arris_surfboard_sbg6950ac2_firmware 9.1.103aa23
commscope arris_surfboard_sbg7600ac2_firmware -
CVE-2022-26995 HIGH

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pptp (wan_pptp.html) function via the pptp_fix_ip, pptp_fix_mask, pptp_fix_gw, and wan_dns1_stat parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
commscope arris_tr3300_firmware 1.0.13
CVE-2022-26996 HIGH

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
commscope arris_tr3300_firmware 1.0.13
CVE-2022-26997 HIGH

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the upnp function via the upnp_ttl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
commscope arris_tr3300_firmware 1.0.13
CVE-2022-26998 HIGH

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the wps setting function via the wps_enrolee_pin parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
commscope arris_tr3300_firmware 1.0.13
CVE-2022-26999 HIGH

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the static ip settings function via the wan_ip_stat, wan_mask_stat, wan_gw_stat, and wan_dns1_stat parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
commscope arris_tr3300_firmware 1.0.13
CVE-2022-27000 HIGH

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the time and time zone function via the h_primary_ntp_server, h_backup_ntp_server, and h_time_zone parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
commscope arris_tr3300_firmware 1.0.13
CVE-2022-27001 HIGH

Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the dhcp function via the hostname parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
commscope arris_tr3300_firmware 1.0.13
CVE-2022-27002 HIGH

Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns、ddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
commscope arris_tr3300_firmware 1.0.13
CVE-2022-45701

Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
commscope arris_tg2492_firmware *
commscope arris_tg2482a_firmware *
commscope arris_sbg10_firmware *
CVE-2023-25717

Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ruckuswireless smartzone_ap *
commscope ruckus_smartzone_firmware 6.1.0.0.935
ruckuswireless smartzone *
ruckuswireless ruckus_wireless_admin *
ruckuswireless smartzone 6.1.0.0.935
commscope ruckus_smartzone_firmware *
CVE-2023-27571

An issue was discovered in DG3450 Cable Gateway AR01.02.056.18_041520_711.NCS.10. The troubleshooting_logs_download.php log file download functionality does not check the session cookie. Thus, an attacker can download all log files.

Products Affected

Vendor Product Version
commscope dg3450_firmware ar01.02.056.18_041520_711.ncs.10
CVE-2023-27572

An issue was discovered in CommScope Arris DG3450 Cable Gateway AR01.02.056.18_041520_711.NCS.10. A reflected XSS vulnerability was discovered in the https_redirect.php web page via the page parameter.

Products Affected

Vendor Product Version
commscope dg3450_firmware ar01.02.056.18_041520_711.ncs.10
CVE-2023-45992

A vulnerability in the web-based interface of the RUCKUS Cloudpath product on version 5.12 build 5538 or before to could allow a remote, unauthenticated attacker to execute persistent XSS and CSRF attacks against a user of the admin management interface. A successful attack, combined with a certain admin activity, could allow the attacker to gain full admin privileges on the exploited system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
commscope ruckus_cloudpath_enrollment_system *
CVE-2024-23618 HIGH

An arbitrary code execution vulnerability exists in Arris SURFboard SGB6950AC2 devices. An unauthenticated attacker can exploit this vulnerability to achieve code execution as root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
disclosures@exodusintel.com 9.6 CRITICAL CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,CWE-306,

Products Affected

Vendor Product Version
commscope arris_surfboard_sbg6950ac2_firmware -
CVE-2025-44954

RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build has a hardcoded SSH private key for a root-equivalent user account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
cve@mitre.org 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

Products Affected

Vendor Product Version
commscope ruckus_smartzone_firmware 7.1.0
commscope ruckus_smartzone_firmware 6.1.2
commscope ruckus_smartzone_firmware 7.0.0
commscope ruckus_smartzone_firmware *
CVE-2025-44955

RUCKUS Network Director (RND) before 4.5 allows jailed users to obtain root access vis a weak, hardcoded password.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
commscope ruckus_network_director *
CVE-2025-44957

Ruckus SmartZone (SZ) before 6.1.2p3 Refresh Build allows authentication bypass via a valid API key and crafted HTTP headers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
commscope ruckus_smartzone_firmware 7.1.0
commscope ruckus_network_director *
commscope ruckus_smartzone_firmware 6.1.2
commscope ruckus_smartzone_firmware 7.0.0
commscope ruckus_smartzone_firmware *
CVE-2025-44958

RUCKUS Network Director (RND) before 4.5 stores passwords in a recoverable format.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
cve@mitre.org 5.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 0.8 4.0

Products Affected

Vendor Product Version
commscope ruckus_network_director *
CVE-2025-44960

RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build allows OS command injection via a certain parameter in an API route.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
cve@mitre.org 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

Products Affected

Vendor Product Version
commscope ruckus_smartzone_firmware 7.1.0
commscope ruckus_network_director *
commscope ruckus_smartzone_firmware 6.1.2
commscope ruckus_smartzone_firmware 7.0.0
commscope ruckus_smartzone_firmware *
CVE-2025-44961

In RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build, OS command injection can occur via an IP address field provided by an authenticated user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
cve@mitre.org 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
commscope ruckus_smartzone_firmware 7.1.0
commscope ruckus_network_director *
commscope ruckus_smartzone_firmware 6.1.2
commscope ruckus_smartzone_firmware 7.0.0
commscope ruckus_smartzone_firmware *
CVE-2025-44962

RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build allows ../ directory traversal to read files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.0 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 3.1 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
commscope ruckus_smartzone_firmware 7.1.0
commscope ruckus_network_director *
commscope ruckus_smartzone_firmware 6.1.2
commscope ruckus_smartzone_firmware 7.0.0
commscope ruckus_smartzone_firmware *
CVE-2025-44963

RUCKUS Network Director (RND) before 4.5 allows spoofing of an administrator JWT by an attacker who knows the hardcoded value of a certain secret key.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
cve@mitre.org 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

Products Affected

Vendor Product Version
commscope ruckus_network_director *
CVE-2025-67304

In Ruckus Network Director (RND) < 4.5.0.54, the OVA appliance contains hardcoded credentials for the ruckus PostgreSQL database user. In the default configuration, the PostgreSQL service is accessible over the network on TCP port 5432. An attacker can use the hardcoded credentials to authenticate remotely, gaining superuser access to the database. This allows creation of administrative users for the web interface, extraction of password hashes, and execution of arbitrary OS commands.

Products Affected

Vendor Product Version
commscope ruckus_network_director *
CVE-2025-67305

In RUCKUS Network Director (RND) < 4.5.0.56, the OVA appliance contains hardcoded SSH keys for the postgres user. These keys are identical across all deployments, allowing an attacker with network access to authenticate via SSH without a password. Once authenticated, the attacker can access the PostgreSQL database with superuser privileges, create administrative users for the web interface, and potentially escalate privileges further.

Products Affected

Vendor Product Version
commscope ruckus_network_director *