MidnightBSD

Advisories for ruckuswireless

CVE-2013-5030 HIGH

Ruckus Wireless Zoneflex 2942 devices with firmware 9.6.0.0.267 allow remote attackers to bypass authentication, and subsequently access certain configuration/ and maintenance/ scripts, by constructing a crafted URI after receiving an authentication error for an arbitrary login attempt.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
ruckuswireless zoneflex_2942 -
ruckuswireless zoneflex_2942__firmware 9.6.0.0.267
CVE-2017-6224 HIGH

Ruckus Wireless Zone Director Controller firmware releases ZD9.x, ZD10.0.0.x, ZD10.0.1.x (less than 10.0.1.0.17 MR1 release) and Ruckus Wireless Unleashed AP Firmware releases 200.0.x, 200.1.x, 200.2.x, 200.3.x, 200.4.x. contain OS Command Injection vulnerabilities that could allow local authenticated users to execute arbitrary privileged commands on the underlying operating system by appending those commands in the Common Name field in the Certificate Generation Request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
ruckuswireless unleashed_firmware 200.4.9.13
ruckuswireless zonedirector_firmware zd9.9.0.0.216
ruckuswireless zonedirector_firmware zd9.13.0.0.103
ruckuswireless unleashed_firmware 200.3
ruckuswireless unleashed_firmware 200.4.9.13.47
ruckuswireless zonedirector_firmware zd9.10.0.0.218
ruckuswireless zonedirector_firmware zd9.9.0.0.212
ruckuswireless unleashed_firmware 200.3.9.13.228
ruckuswireless zonedirector_firmware zd9.13.0.0.209
ruckuswireless unleashed_firmware 200.1.9.12.55
ruckuswireless zonedirector_firmware zd9.9.0.0.205
ruckuswireless unleashed_firmware 200.1
CVE-2017-6229 HIGH

Ruckus Networks Unleashed AP firmware releases before 200.6.10.1.x and Ruckus Networks Zone Director firmware releases 10.1.0.0.x, 9.10.2.0.x, 9.12.3.0.x, 9.13.3.0.x, 10.0.1.0.x or before contain authenticated Root Command Injection in the CLI that could allow authenticated valid users to execute privileged commands on the respective systems.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
ruckuswireless t300_firmware *
ruckuswireless r710_firmware *
ruckuswireless t301_firmware *
ruckuswireless t710_firmware *
ruckuswireless zonedirector_3000_firmware *
ruckuswireless t300e_firmware *
ruckuswireless zonedirector_1200_firmware *
ruckuswireless h320_firmware *
ruckuswireless t610_firmware *
ruckuswireless r500_firmware *
ruckuswireless zonedirector_1200_firmware 10.1.0.0.1515
ruckuswireless h510_firmware *
ruckuswireless r600_firmware *
ruckuswireless r510_firmware *
ruckuswireless r310_firmware *
ruckuswireless r720_firmware *
ruckuswireless zonedirector_3000_firmware 10.1.0.0.1515
CVE-2017-6230 HIGH

Ruckus Networks Solo APs firmware releases R110.x or before and Ruckus Networks SZ managed APs firmware releases R5.x or before contain authenticated Root Command Injection in the web-GUI that could allow authenticated valid users to execute privileged commands on the respective systems.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
ruckuswireless solo_access_point_firmware *
ruckuswireless smartzone_managed_access_point_firmware *
CVE-2018-11036 MEDIUM

Ruckus SmartZone (formerly Virtual SmartCell Gateway or vSCG) 3.5.0, 3.5.1, 3.6.0, and 3.6.1 (Essentials and High Scale) on vSZ, SZ-100, SZ-300, and SCG-200 devices allows remote attackers to obtain sensitive information or modify data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
ruckuswireless sz-100_firmware 3.5.1
ruckuswireless sz-300_firmware 3.6.1
ruckuswireless scg-200_firmware 3.6.0
ruckuswireless vsz_firmware 3.5.1
ruckuswireless sz-300_firmware 3.5.1
ruckuswireless scg-200_firmware 3.5.1
ruckuswireless sz-100_firmware 3.5.0
ruckuswireless scg-200_firmware 3.6.1
ruckuswireless vsz_firmware 3.5.0
ruckuswireless sz-100_firmware 3.6.1
ruckuswireless sz-300_firmware 3.5.0
ruckuswireless sz-100_firmware 3.6.0
ruckuswireless scg-200_firmware 3.5.0
ruckuswireless vsz_firmware 3.6.0
ruckuswireless sz-300_firmware 3.6.0
ruckuswireless vsz_firmware 3.6.1
CVE-2019-19834 MEDIUM

Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote attacker to jailbreak the CLI via enable->debug->script->exec with ../../../bin/sh as the parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
ruckuswireless unleashed *
ruckuswireless zonedirector_1200_firmware *
CVE-2019-19835 MEDIUM

SSRF in AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote denial of service via the server attribute to the tools/_rcmdstat.jsp URI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
ruckuswireless unleashed *
ruckuswireless zonedirector_1200_firmware *
CVE-2019-19836 HIGH

AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote code execution via a POST request that uses tools/_rcmdstat.jsp to write to a specified filename.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
ruckuswireless unleashed *
ruckuswireless zonedirector_1200_firmware *
CVE-2019-19837 HIGH

Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote information disclosure of bin/web.conf via HTTP requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ruckuswireless unleashed *
ruckuswireless zonedirector_1200_firmware *
CVE-2019-19838 HIGH

emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote attackers to execute OS commands via a POST request with the attribute xcmd=get-platform-depends to admin/_cmdstat.jsp via the uploadFile attribute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
ruckuswireless unleashed *
ruckuswireless zonedirector_1200_firmware *
CVE-2019-19839 HIGH

emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote attackers to execute OS commands via a POST request with the attribute xcmd=import-category to admin/_cmdstat.jsp via the uploadFile attribute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
ruckuswireless unleashed *
ruckuswireless zonedirector_1200_firmware *
CVE-2019-19840 HIGH

A stack-based buffer overflow in zap_parse_args in zap.c in zap in Ruckus Unleashed through 200.7.10.102.64 allows remote code execution via an unauthenticated HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
ruckuswireless unleashed *
ruckuswireless zonedirector_1200_firmware *
CVE-2019-19841 HIGH

emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote attackers to execute OS commands via a POST request with the attribute xcmd=packet-capture to admin/_cmdstat.jsp via the mac attribute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
ruckuswireless unleashed *
ruckuswireless zonedirector_1200_firmware *
CVE-2019-19842 HIGH

emfd in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote attackers to execute OS commands via a POST request with the attribute xcmd=spectra-analysis to admin/_cmdstat.jsp via the mac attribute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
ruckuswireless unleashed *
ruckuswireless zonedirector_1200_firmware *
CVE-2019-19843 HIGH

Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-522,CWE-552,

Products Affected

Vendor Product Version
ruckuswireless unleashed *
ruckuswireless zonedirector_1200_firmware *
CVE-2020-13913 MEDIUM

An XSS issue in emfd in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to execute JavaScript code via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ruckuswireless unleashed_firmware *
CVE-2020-13914 MEDIUM

webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to cause a denial of service (Segmentation fault) to the webserver via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ruckuswireless unleashed_firmware *
CVE-2020-13915 MEDIUM

Insecure permissions in emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allow a remote attacker to overwrite admin credentials via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,CWE-732,

Products Affected

Vendor Product Version
ruckuswireless unleashed_firmware *
CVE-2020-13916 HIGH

A stack buffer overflow in webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to execute code via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
ruckuswireless unleashed_firmware *
CVE-2020-13917 HIGH

rkscli in Ruckus Wireless Unleashed through 200.7.10.92 allows a remote attacker to achieve command injection and jailbreak the CLI via a crafted CLI command. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
ruckuswireless unleashed_firmware *
CVE-2020-13918 MEDIUM

Incorrect access control in webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to leak system information (that can be used for a jailbreak) via an unauthenticated crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
ruckuswireless unleashed_firmware *
CVE-2020-13919 HIGH

emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to achieve command injection via a crafted HTTP request. This affects C110, E510, H320, H510, M510, R320, R310, R500, R510 R600, R610, R710, R720, R750, T300, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, and T710s devices.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
ruckuswireless unleashed_firmware *
CVE-2020-21161 MEDIUM

Cross Site Scripting (XSS) vulnerability in Ruckus Wireless ZoneDirector 9.8.3.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ruckuswireless zonedirector_firmware 9.8.3.0
CVE-2020-22653

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to exploit the official image signature to force injection unauthorized image signature.

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless t301s_firmware 10.5.1.0.199
ruckuswireless zonedirector_3000_firmware 10.2.1.0.218
ruckuswireless zonedirector_5000_firmware 10.0.1.0.151
ruckuswireless t301n_firmware 10.5.1.0.199
ruckuswireless zonedirector_1200_firmware 10.2.1.0.218
ruckuswireless r600_firmware 10.5.1.0.199
ruckuswireless zonedirector_1100_firmware 9.10.2.0.130
ruckuswireless r310_firmware 10.5.1.0.199
ruckuswireless r500_firmware 10.5.1.0.199
ruckuswireless t300_firmware 10.5.1.0.199
ruckuswireless scg200_firmware *
CVE-2020-22654

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to bypass firmware image bad md5 checksum failed error.

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless t301s_firmware 10.5.1.0.199
ruckuswireless zonedirector_3000_firmware 10.2.1.0.218
ruckuswireless zonedirector_5000_firmware 10.0.1.0.151
ruckuswireless t301n_firmware 10.5.1.0.199
ruckuswireless zonedirector_1200_firmware 10.2.1.0.218
ruckuswireless r600_firmware 10.5.1.0.199
ruckuswireless zonedirector_1100_firmware 9.10.2.0.130
ruckuswireless r310_firmware 10.5.1.0.199
ruckuswireless r500_firmware 10.5.1.0.199
ruckuswireless t300_firmware 10.5.1.0.199
ruckuswireless scg200_firmware *
CVE-2020-22655

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to persistently to writing unauthorized image.

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless t301s_firmware 10.5.1.0.199
ruckuswireless zonedirector_3000_firmware 10.2.1.0.218
ruckuswireless zonedirector_5000_firmware 10.0.1.0.151
ruckuswireless t301n_firmware 10.5.1.0.199
ruckuswireless zonedirector_1200_firmware 10.2.1.0.218
ruckuswireless r600_firmware 10.5.1.0.199
ruckuswireless zonedirector_1100_firmware 9.10.2.0.130
ruckuswireless r310_firmware 10.5.1.0.199
ruckuswireless r500_firmware 10.5.1.0.199
ruckuswireless t300_firmware 10.5.1.0.199
ruckuswireless scg200_firmware *
CVE-2020-22656

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to make the Secure Boot in failed attempts state (rfwd).

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless t301s_firmware 10.5.1.0.199
ruckuswireless zonedirector_3000_firmware 10.2.1.0.218
ruckuswireless zonedirector_5000_firmware 10.0.1.0.151
ruckuswireless t301n_firmware 10.5.1.0.199
ruckuswireless zonedirector_1200_firmware 10.2.1.0.218
ruckuswireless r600_firmware 10.5.1.0.199
ruckuswireless zonedirector_1100_firmware 9.10.2.0.130
ruckuswireless r310_firmware 10.5.1.0.199
ruckuswireless r500_firmware 10.5.1.0.199
ruckuswireless t300_firmware 10.5.1.0.199
ruckuswireless scg200_firmware *
CVE-2020-22657

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to perform WEB GUI login authentication bypass.

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless t301s_firmware 10.5.1.0.199
ruckuswireless zonedirector_3000_firmware 10.2.1.0.218
ruckuswireless zonedirector_5000_firmware 10.0.1.0.151
ruckuswireless t301n_firmware 10.5.1.0.199
ruckuswireless zonedirector_1200_firmware 10.2.1.0.218
ruckuswireless r600_firmware 10.5.1.0.199
ruckuswireless zonedirector_1100_firmware 9.10.2.0.130
ruckuswireless r310_firmware 10.5.1.0.199
ruckuswireless r500_firmware 10.5.1.0.199
ruckuswireless t300_firmware 10.5.1.0.199
ruckuswireless scg200_firmware *
CVE-2020-22658

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to switch completely to unauthorized image to be Boot as primary verified image.

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless t301s_firmware 10.5.1.0.199
ruckuswireless zonedirector_3000_firmware 10.2.1.0.218
ruckuswireless zonedirector_5000_firmware 10.0.1.0.151
ruckuswireless t301n_firmware 10.5.1.0.199
ruckuswireless zonedirector_1200_firmware 10.2.1.0.218
ruckuswireless r600_firmware 10.5.1.0.199
ruckuswireless zonedirector_1100_firmware 9.10.2.0.130
ruckuswireless r310_firmware 10.5.1.0.199
ruckuswireless r500_firmware 10.5.1.0.199
ruckuswireless t300_firmware 10.5.1.0.199
ruckuswireless scg200_firmware *
CVE-2020-22659

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to exploit the official image signature to force injection unauthorized image signature.

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless t301s_firmware 10.5.1.0.199
ruckuswireless zonedirector_3000_firmware 10.2.1.0.218
ruckuswireless zonedirector_5000_firmware 10.0.1.0.151
ruckuswireless t301n_firmware 10.5.1.0.199
ruckuswireless zonedirector_1200_firmware 10.2.1.0.218
ruckuswireless r600_firmware 10.5.1.0.199
ruckuswireless zonedirector_1100_firmware 9.10.2.0.130
ruckuswireless r310_firmware 10.5.1.0.199
ruckuswireless r500_firmware 10.5.1.0.199
ruckuswireless t300_firmware 10.5.1.0.199
ruckuswireless scg200_firmware *
CVE-2020-22660

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to force bypass Secure Boot failed attempts and run temporarily the previous Backup image.

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless t301s_firmware 10.5.1.0.199
ruckuswireless zonedirector_3000_firmware 10.2.1.0.218
ruckuswireless zonedirector_5000_firmware 10.0.1.0.151
ruckuswireless t301n_firmware 10.5.1.0.199
ruckuswireless zonedirector_1200_firmware 10.2.1.0.218
ruckuswireless r600_firmware 10.5.1.0.199
ruckuswireless zonedirector_1100_firmware 9.10.2.0.130
ruckuswireless r310_firmware 10.5.1.0.199
ruckuswireless r500_firmware 10.5.1.0.199
ruckuswireless t300_firmware 10.5.1.0.199
ruckuswireless scg200_firmware *
CVE-2020-22661

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to erase the backup secondary official image and write secondary backup unauthorized image.

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless t301s_firmware 10.5.1.0.199
ruckuswireless zonedirector_3000_firmware 10.2.1.0.218
ruckuswireless zonedirector_5000_firmware 10.0.1.0.151
ruckuswireless t301n_firmware 10.5.1.0.199
ruckuswireless zonedirector_1200_firmware 10.2.1.0.218
ruckuswireless r600_firmware 10.5.1.0.199
ruckuswireless zonedirector_1100_firmware 9.10.2.0.130
ruckuswireless r310_firmware 10.5.1.0.199
ruckuswireless r500_firmware 10.5.1.0.199
ruckuswireless t300_firmware 10.5.1.0.199
ruckuswireless scg200_firmware *
CVE-2020-22662

In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151, a vulnerability allows attackers to change and set unauthorized "illegal region code" by remote code Execution command injection which leads to run illegal frequency with maxi output power. Vulnerability allows attacker to create an arbitrary amount of ssid wlans interface per radio which creates overhead over noise (the default max limit is 8 ssid only per radio in solo AP). Vulnerability allows attacker to unlock hidden regions by privilege command injection in WEB GUI.

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless t301s_firmware 10.5.1.0.199
ruckuswireless zonedirector_3000_firmware 10.2.1.0.218
ruckuswireless zonedirector_5000_firmware 10.0.1.0.151
ruckuswireless t301n_firmware 10.5.1.0.199
ruckuswireless zonedirector_1200_firmware 10.2.1.0.218
ruckuswireless r600_firmware 10.5.1.0.199
ruckuswireless zonedirector_1100_firmware 9.10.2.0.130
ruckuswireless r310_firmware 10.5.1.0.199
ruckuswireless r500_firmware 10.5.1.0.199
ruckuswireless t300_firmware 10.5.1.0.199
ruckuswireless scg200_firmware *
CVE-2020-7234 LOW

Ruckus ZoneFlex R310 104.0.0.0.1347 devices allow Stored XSS via the SSID field on the Configuration > Radio 2.4G > Wireless X screen (after a successful login to the super account).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ruckuswireless r310_firmware 104.0.0.0.1347
CVE-2021-36630

DDOS reflection amplification vulnerability in eAut module of Ruckus Wireless SmartZone controller that allows remote attackers to perform DOS attacks via crafted request.

Products Affected

Vendor Product Version
ruckuswireless sz-300_firmware *
ruckuswireless sz-100_firmware *
ruckuswireless vsz_firmware *
ruckuswireless sz-144_firmware *
CVE-2023-25717

Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ruckuswireless smartzone *
commscope ruckus_smartzone_firmware *
ruckuswireless smartzone 6.1.0.0.935
commscope ruckus_smartzone_firmware 6.1.0.0.935
ruckuswireless smartzone_ap *
ruckuswireless ruckus_wireless_admin *
CVE-2023-49225

A cross-site-scripting vulnerability exists in Ruckus Access Point products (ZoneDirector, SmartZone, and AP Solo). If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in the product. As for the affected products/models/versions, see the information provided by the vendor listed under [References] section or the list under [Product Status] section.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
ruckuswireless r850_firmware *
ruckuswireless h550_firmware *
ruckuswireless t350d_firmware *
ruckuswireless e510_firmware *
ruckuswireless t710s_firmware *
ruckuswireless t310d_firmware *
ruckuswireless t350c_firmware *
ruckuswireless h320_firmware *
ruckuswireless smartzone_firmware *
ruckuswireless r550_firmware *
ruckuswireless h510_firmware *
ruckuswireless r730_firmware *
ruckuswireless t310n_firmware *
ruckuswireless t750_firmware *
ruckuswireless t310s_firmware *
ruckuswireless t305_firmware *
ruckuswireless m510_firmware *
ruckuswireless t350se_firmware *
ruckuswireless r710_firmware *
ruckuswireless r320_firmware *
ruckuswireless t710_firmware *
ruckuswireless r760_firmware *
ruckuswireless r350_firmware *
ruckuswireless r610_firmware *
ruckuswireless t750se_firmware *
ruckuswireless h350_firmware *
ruckuswireless t610_firmware *
ruckuswireless zonedirector_firmware *
ruckuswireless r750_firmware *
ruckuswireless t310c_firmware *
ruckuswireless t610s_firmware *
ruckuswireless r560_firmware *
ruckuswireless r650_firmware *
ruckuswireless r510_firmware *
ruckuswireless r310_firmware *
ruckuswireless c110_firmware *
ruckuswireless r720_firmware *
CVE-2025-46116

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where an authenticated attacker can disable the passphrase requirement for a hidden CLI command `!v54!` via a management API call and then invoke it to escape the restricted shell and obtain a root shell on the controller.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
ruckuswireless ruckus_zonedirector *
ruckuswireless ruckus_unleashed *
CVE-2025-46117

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where a hidden debug script `.ap_debug.sh` invoked from the restricted CLI does not properly sanitize its input, allowing an authenticated attacker to execute arbitrary commands as root on the controller or specified target.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
ruckuswireless ruckus_zonedirector *
ruckuswireless ruckus_unleashed *
CVE-2025-46118

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139 and in Ruckus ZoneDirector prior to 10.5.1.0.279, where hard-coded credentials for the ftpuser account provide FTP access to the controller, enabling a remote attacker to upload or retrieve arbitrary files from writable firmware directories and thereby expose sensitive information or compromise the controller.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
ruckuswireless ruckus_zonedirector *
ruckuswireless ruckus_unleashed *
CVE-2025-46119

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where an authenticated request to the management endpoint `/admin/_cmdstat.jsp` discloses the administrator password in a trivially reversible obfuscated form. The same obfuscation method persists in configuration prior to 200.18.7.1.302, allowing anyone who obtains the system configuration to recover the plaintext credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
ruckuswireless ruckus_zonedirector *
ruckuswireless ruckus_unleashed *
CVE-2025-46120

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a remote unauthenticated attacker who can upload a template (e.g., via FTP) to escalate privileges and run arbitrary template code on the controller.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ruckuswireless ruckus_zonedirector *
ruckuswireless ruckus_unleashed *
CVE-2025-46121

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
ruckuswireless ruckus_zonedirector *
ruckuswireless ruckus_unleashed *
CVE-2025-46122

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation, enabling a remote attacker to specify a target by MAC address and execute arbitrary commands as root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 2.3 6.0

Products Affected

Vendor Product Version
ruckuswireless ruckus_zonedirector *
ruckuswireless ruckus_unleashed *
CVE-2025-46123

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest password to memory with snprintf using the attacker-supplied value as the format string; a crafted password therefore triggers uncontrolled format-string processing and enables remote code execution on the controller.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
ruckuswireless ruckus_zonedirector *
ruckuswireless ruckus_unleashed *
CVE-2025-63735

A reflected Cross site scripting (XSS) vulnerability in Ruckus Unleashed 200.13.6.1.319 via the name parameter to the the captive-portal endpoint selfguestpass/guestAccessSubmit.jsp.

Products Affected

Vendor Product Version
ruckusnetworks unleashed_r670_firmware 200.13.6.1.319
ruckusnetworks unleashed_r550_firmware 200.13.6.1.319
ruckusnetworks unleashed_h350_firmware 200.13.6.1.319
ruckusnetworks unleashed_t350se_firmware 200.13.6.1.319
ruckusnetworks unleashed_r350_firmware 200.13.6.1.319
ruckusnetworks unleashed_r350e_firmware 200.13.6.1.319
ruckusnetworks unleashed_t350d_firmware 200.13.6.1.319
ruckusnetworks unleashed_t750se_firmware 200.13.6.1.319
ruckusnetworks unleashed_r770_firmware 200.13.6.1.319
ruckusnetworks unleashed_r370_firmware 200.13.6.1.319
ruckusnetworks unleashed_t750_firmware 200.13.6.1.319
ruckusnetworks unleashed_r650_firmware 200.13.6.1.319
ruckuswireless ruckus_unleashed 200.13.6.1.319
ruckusnetworks unleashed_r750_firmware 200.13.6.1.319
ruckusnetworks unleashed_r850_firmware 200.13.6.1.319
ruckusnetworks unleashed_t670sn_firmware 200.13.6.1.319
ruckusnetworks unleashed_t350c_firmware 200.13.6.1.319
ruckusnetworks unleashed_t670_firmware 200.13.6.1.319
ruckusnetworks unleashed_h550_firmware 200.13.6.1.319