CVE-2020-26878
published 2020-10-26CVE-2020-26878: Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint)…
PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.45%
95.5th percentile
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| commscope | ruckus_vriot | <= 1.5.1.0.21 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/service/v1/createUser
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/service/v1/createUser"; startswith; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|username|22|"; content:"|3a 20|"; distance:0; pcre:"/^\x22[^\x22]*\x3b[^\x22]*\x22/PR"; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26878; classtype:attempted-user; sid:2031114; rev:2; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26878, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
|22|username|22| followed by |3a 20| in HTTP request body (JSON username field containing semicolon: /^\x22[^\x22]*\x3b[^\x22]*\x22/)
- →Exploit targets the /service/v1/createUser API endpoint via HTTP POST with Content-Type application/json. Inject point is the 'username' JSON field, where a semicolon (;) is used to chain arbitrary OS commands executed as root via web.py. ↗
- →Detection should focus on POST requests to /service/v1/createUser where the JSON body contains a 'username' value with an embedded semicolon character (0x3b), indicating command injection attempt.
- →Reference blog post for full exploit details: adepts.of0x.cc/ruckus-vriot-rce/
- →MITRE ATT&CK mapping: Lateral Movement (TA0008), Exploitation of Remote Services (T1210).
- ·Exploitation requires prior authentication — unauthenticated requests to the endpoint will not trigger the injection. Ensure detection rules account for authenticated sessions. ↗
- ·Affected versions are Ruckus vRIoT through 1.5.1.0.21. Verify version scope before deploying detections to avoid false positives on patched or unrelated devices. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9h25-7cgq-fhvv: Ruckus through 1
ghsa_unreviewed·2022-05-24
CVE-2020-26878 [HIGH] CWE-862 GHSA-9h25-7cgq-fhvv: Ruckus through 1
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
VulnCheck
commscope ruckus_vriot Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 8.8
CVE-2020-26878 [HIGH] commscope ruckus_vriot Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
commscope ruckus_vriot Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
Affected: commscope ruckus_vriot
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/
Exploit PoC: https://vulncheck.com/xdb/5b875bd3339d; https://vulncheck.com/xdb/461e4b239b35
Suricata
ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)
suricata·2020-10-26·CVSS 8.8
CVE-2020-26878 [HIGH] ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)
ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/service/v1/createUser"; startswith; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|username|22|"; content:"|3a 20|"; distance:0; pcre:"/^\x22[^\x22]*\x3b[^\x22]*\x22/PR"; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26878; classtype:attempted-user; sid:2031114; rev:2; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26878, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_s
No public exploits indexed.
No writeups or analysis indexed.
https://adepts.of0x.cchttps://adepts.of0x.cc/ruckus-vriot-rce/https://support.ruckuswireless.com/documentshttps://support.ruckuswireless.com/security_bulletins/305https://twitter.com/TheXC3LLhttps://x-c3ll.github.iohttps://adepts.of0x.cchttps://adepts.of0x.cc/ruckus-vriot-rce/https://support.ruckuswireless.com/documentshttps://support.ruckuswireless.com/security_bulletins/305https://twitter.com/TheXC3LLhttps://x-c3ll.github.io
2020-10-26
Published
Exploited in the wild