👾 Join us August 4–10 in Las Vegas for Hacker Summer Camp! Learn More

On This Page:

  1. Latest RUCKUS Networks vulnerabilities
  2. What is the impact?
  3. Are updates or workarounds available?
  4. How to find potentially vulnerable systems with runZero

How to find RUCKUS Networks assets on your network

Matthew Kienow
|
Updated

Latest RUCKUS Networks vulnerabilities #

Eight critical vulnerabilities have been disclosed affecting certain models and versions of RUCKUS Networks management products, specifically RUCKUS SmartZone (SZ), RUCKUS Virtual SmartZone (vSZ), and RUCKUS Network Director (RND). These vulnerabilities include authentication bypass, hardcoded secrets, arbitrary file read by authenticated users, and remote code execution (RCE).

RUCKUS SmartZone (SZ) and Virtual SmartZone (vSZ) vulnerabilities: #

  • Multiple secrets are hardcoded, including JWT Signing Key and API keys, into the vSZ application, making them vulnerable to access and thus allowing an adversary to gain elevated privileges. Through using HTTP headers and a valid API key, it is possible to logically bypass the authentication methods and gain administrator-level access. This vulnerability has been designated CVE-2025-44957.
  • vSZ allows authenticated users to download files from an allowed directory, but a hardcoded directory path enables an adversary to traverse outside of the intended directory scope and read sensitive files. This vulnerability has been designated CVE-2025-44962.
  • A user-controlled vSZ API route parameter is not properly sanitized before being executed in an OS command. An adversary could supply a malicious payload to the API parameter resulting in RCE. This vulnerability has been designated CVE-2025-44960.
  • An authenticated vSZ user-supplied IP address is not properly sanitized before it is included as an argument to an OS command. An adversary could supply other commands instead of an IP address to achieve RCE. This vulnerability has been designated CVE-2025-44961.

RUCKUS Network Director (RND) vulnerabilities: #

  • RND uses a secret key on the backend web server to ensure that session JSON Web Tokens (JWTs) are valid. The secret key is hardcoded into the web server. Therefore, an adversary with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication and gaining access to the server with administrator privileges. This vulnerability has been designated CVE-2025-44963.
  • RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. This jailed environment includes a built-in jailbreak to allow technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. An adversary with this password can access an RND server with root permissions. This vulnerability has been designated CVE-2025-44955.
  • A built-in user sshuser, with root privileges, exists on the RND platform, with both public and private SSH keys located in its home directory. An adversary with the private key may access an RND server as the sshuser user. This vulnerability has been designated CVE-2025-6243.
  • RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an adversary could obtain all of the plaintext passwords. This vulnerability has been designated CVE-2025-44958.

The following products are affected

  • SmartZone 100 (SZ-100)
  • SmartZone 100-D (SZ100-D)
  • SmartZone 144 (SZ-144)
  • SmartZone 144 (SZ-144) - Federal
  • SmartZone 144-Dataplane (SZ144-D)
  • SmartZone 300 (SZ300)
  • SmartZone 300 (SZ300) - Federal
  • Virtual SmartZone - (vSZ)
  • Virtual SmartZone - (vSZ) - Federal
  • Virtual SmartZone-Dataplane (vSZ-D)
  • Virtual SmartZone-Dataplane (vSZ-D) - Federal
  • RUCKUS Network Director (RND)

The following versions are affected

  • RUCKUS SmartZone (SZ) and Virtual SmartZone (vSZ)
    • 5.2.1.x versions prior to 5.2.1.3.1695 (FIPS and CC Compliant (MR Refresh2))
    • 5.2.2.x versions prior to 5.2.2.0.1563 (LT-GD MR 2 Refresh)
    • 6.x versions prior to 6.1.2.0.487 (6.1.2 Patch3)
    • 7.x versions prior to 7.1.0.0.586 (7.1.0 (LT-GA))
  • RUCKUS Network Director (RND)
    • 3.0 versions prior to unknown (Note: The specific patched version is not explicitly stated in the advisory, and no new 3.0.x or 3.5.x releases appear to have been issued in 2025.)
    • 4.0.x versions prior to 4.0.0.47
    • 4.5.x versions prior to 4.5.0.51

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible.

For RUCKUS SmartZone (SZ) and Virtual SmartZone (vSZ) apply the engineering patch diagnostic script (KSP) or upgrade:

  • 5.2.1.x to version 5.2.1.3.1695 (FIPS and CC Compliant (MR Refresh2)) or later, KSP (SecurityFix_5_2_1_3_1695-15389-v1_866985.ksp)
  • 5.2.2.x to version 5.2.2.0.1563 (LT-GD MR 2 Refresh) or later, KSP (SecurityFix_5_2_2_0_1563-15389-v1_866974.ksp)
  • 6.x to version 6.1.2.0.487 (6.1.2 Patch3) or later, KSP (SecurityFix_6_1_2_487-15389-v1_0c5006774d7.ksp)
  • 7.x to version 7.1.0.0.586 (7.1.0 (LT-GA)) or later, KSP (SecurityFix_7_1_0_0_586-15389-v1_1141f30a5b6.ksp)

For RUCKUS Network Director (RND) upgrade:

  • 3.0 to version unknown (Note: The specific patched version is not explicitly stated in the advisory, and no new 3.0.x or 3.5.x releases appear to have been issued in 2025.)
  • 4.0.x to version 4.0.0.47 or later
  • 4.5.x to version 4.5.0.51 or later

To prevent potential KSP conflicts, users who have already applied a KSP to their SmartZone (SZ) or Virtual SmartZone (vSZ) should contact the RUCKUS support team.

How to find potentially vulnerable systems with runZero #

From the Service inventory, use the following query to locate potentially vulnerable assets:

_asset.protocol:http AND protocol:http AND has:last.html.title AND (last.html.title:"Virtual SmartZone" OR last.html.title:"Ruckus Wireless")

Written by Matthew Kienow

Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

More about Matthew Kienow
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more

Watch Now • On Demand
Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

Watch Now
runZero Hour, Episode 17
The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join VP of Security Research Tod Beardsley and Security Research Director Rob King for a deep dive into the future of exposure management.
Watch Now
Product Release
Tackling the New Era of Exposure Management
Fixing what’s broken with legacy tools and overcoming decades-old problems requires a new approach. Dive into how we do it at runZero.
Read More
Webcast
The Unreasonable Effectiveness of Inside Out Attack Surface Management
HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface management.
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
© Copyright 2025 runZero, Inc. All Rights Reserved