VU#613753: RUCKUS Virtual SmartZone (vSZ) and RUCKUS Network Director (RND) contain multiple vulnerabilities

Overview

Multiple vulnerabilities have been identified in RUCKUS Networks management products, specifically Virtual SmartZone (vSZ) and Network Director (RND), including authentication bypass, hardcoded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. These issues may allow full compromise of the environments managed by the affected software.

For the latest information, please see RUCKUS Security Bulletin 20250710.

Description

RUCKUS Networks is a company that provides networking devices for venues where many end points will be connected to the internet, such as schools, hospitals, multi-tenant residences, and smart cities that provide public Wi-Fi. Virtual SmartZone (vSZ) by RUCKUS Networks is a wireless network control software to virtually manage large-scale networks, up to a scale of 10,000 RUCKUS access points and 150,000 connected clients. RUCKUS Network Director (RND) is software for the management of multiple vSZ clusters on a single network.

Multiple vulnerabilities were reported in these RUCKUS Networks products that are described here:

[CVE-2025-44957] Hardcoded Secrets, including JWT Signing Key, API keys in Code (CWE-287: Improper Authentication). Multiple secrets are hardcoded into the vSZ application, making them vulnerable to access thus allowing elevated privileges. Using HTTP headers and a valid API key, it is possible to logically bypass the authentication methods, providing administrator-level access to anyone that does this.

[CVE-2025-44962] Authenticated Arbitrary File Read (CWE-23: Relative Path Traversal). RUCKUS vSZ allows for users to download files from an allowed directory, but by hardcoding a directory path, a user could traverse other directory paths with ../ to read sensitive files.

[CVE-2025-44960] Remote Code Execution (CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)). A parameter in a vSZ API route is user-controlled and not sanitized before being executed in an OS command. An attacker could supply a malicious payload to result in code execution.

[CVE-2025-44961] Remote Code Execution (CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)). An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.

[CVE-2025-44963] Hardcoded Secrets, including JWT token (CWE-321: Use of Hard-coded Cryptographic Key). RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.

[CVE-2025-44955] Hardcoded Secrets (CWE-259: Use of Hard-coded Password). RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.

[CVE-2025-6243] Hardcoded SSH Public Key (CWE-321: Use of Hard-coded Cryptographic Key). A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.

[CVE-2025-44958] Recoverable passwords (CWE-257: Storing Passwords in a Recoverable Format). RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.

Impact

Impact of these vulnerabilities vary from information leakage to total compromise of the wireless environment managed by the affected products. As an example, an attacker with API access to RUCKUS Networks vSZ can exploit CVE-2025-44957 to gain full administrator access that will lead to total compromise of the vSZ wireless management environment. Furthermore, multiple vulnerabilities can be chained to create chained attacks that can allow the attacker to combine attacks to bypass any security controls that prevent only specific attacks.

Solution

RUCKUS has provided patches defined per product at https://webresources.commscope.com/download/assets/FAQ+Security+Advisory%3A+ID+20250710/225f44ac3bd311f095821adcaa92e24e.

Furthermore, RUCKUS advises deploying
vSZ and RND in accordance with best security practices and also restricting network access to potentially vulnerable devices to a limited set of trusted users.

Acknowledgements

Thanks to Noam Moshe of Claroty Team82 for reporting these vulnerabilities. This document was written by CERT/CC.