VU#613753: Ruckus Virtual SmartZone (vSZ) and Ruckus Network Director (RND) contain multiple vulnerabilities

Overview

Multiple vulnerabilities have been identified in Ruckus Wireless management products, specifically Virtual SmartZone (vSZ) and Network Director (RND), including authentication bypass, hardcoded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. These issues may allow full compromise of the environments managed by the affected software. At this time, we have not able to reach Ruckus Wireless or their parent company to include their response to these disclosed vulnerabilities, we recommend using these products only within isolated management networks accessible to trusted users.

Description

Ruckus Wireless is a company that provides networking devices for venues where many end points will be connected to the internet, such as schools, hospitals, multi-tenant residences, and smart cities that provide public Wi-Fi. Virtual SmartZone (vSZ) by Ruckus Wireless is a wireless network control software to virtually manage large-scale networks, up to a scale of 10,000 Ruckus access points and 150,000 connected clients. Ruckus Network Director (RND) is software for the management of multiple vSZ clusters on a single network.

Multiple vulnerabilities were reported in these Ruckus Wireless products that are described here:

[CVE-2025-44957] Hardcoded Secrets, including JWT Signing Key, API keys in Code (CWE-287: Improper Authentication). Multiple secrets are hardcoded into the vSZ application, making them vulnerable to access thus allowing elevated privileges. Using HTTP headers and a valid API key, it is possible to logically bypass the authentication methods, providing administrator-level access to anyone that does this.

[CVE-2025-44962] Authenticated Arbitrary File Read (CWE-23: Relative Path Traversal). Ruckus vSZ allows for users to download files from an allowed directory, but by hardcoding a directory path, a user could traverse other directory paths with ../ to read sensitive files.

[CVE-2025-44954] Unauthenticated RCE in SSH due to Hardcoded Default Public/Private Keys (CWE-1394: Use of Default Cryptographic Key). Ruckus vSZ has a built-in user with all of the same privileges as root. This user also has default public and private RSA keys in its /home/$USER/.ssh/ directory. Anyone with a Ruckus device would also have this private key and be able to ssh as this and then have root-level permissions.

[CVE-2025-44960] Remote Code Execution (CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)). A parameter in a vSZ API route is user-controlled and not sanitized before being executed in an OS command. An attacker could supply a malicious payload to result in code execution.

[CVE-2025-44961] Remote Code Execution (CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)). An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.

[CVE-2025-44963] Hardcoded Secrets, including JWT token (CWE-321: Use of Hard-coded Cryptographic Key). RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.

[CVE-2025-44955] Hardcoded Secrets (CWE-259: Use of Hard-coded Password). RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.

[CVE-2025-6243] Hardcoded SSH Public Key (CWE-321: Use of Hard-coded Cryptographic Key). A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.

[CVE-2025-44958] Recoverable passwords (CWE-257: Storing Passwords in a Recoverable Format). RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.

Impact

Impact of these vulnerabilities vary from information leakage to total compromise of the wireless environment managed by the affected products. As an example, an attacker with network access to Ruckus Wireless vSZ can exploit CVE-2025-44954 to gain full administrator access that will lead to total compromise of the vSZ wireless management environment. Furthermore, multiple vulnerabilities can be chained to create chained attacks that can allow the attacker to combine attacks to bypass any security controls that prevent only specific attacks.

Solution

No patches have been supplied by the vendor at this time.
To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.

Acknowledgements

Thanks to Noam Moshe of Claroty Team82 for reporting these vulnerabilities. This document was written by CERT/CC.