cbcvebase.
CVE-2020-26878
published 2020-10-26

CVE-2020-26878: Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint)…

PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
11.45%
95.5th percentile
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.

Affected

1 ranges
VendorProductVersion rangeFixed in
commscoperuckus_vriot<= 1.5.1.0.21

Detection & IOCsextracted from sources · hover to see the quote

url/service/v1/createUser
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/service/v1/createUser"; startswith; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|username|22|"; content:"|3a 20|"; distance:0; pcre:"/^\x22[^\x22]*\x3b[^\x22]*\x22/PR"; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26878; classtype:attempted-user; sid:2031114; rev:2; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26878, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
|22|username|22| followed by |3a 20| in HTTP request body (JSON username field containing semicolon: /^\x22[^\x22]*\x3b[^\x22]*\x22/)
  • Exploit targets the /service/v1/createUser API endpoint via HTTP POST with Content-Type application/json. Inject point is the 'username' JSON field, where a semicolon (;) is used to chain arbitrary OS commands executed as root via web.py.
  • Detection should focus on POST requests to /service/v1/createUser where the JSON body contains a 'username' value with an embedded semicolon character (0x3b), indicating command injection attempt.
  • Reference blog post for full exploit details: adepts.of0x.cc/ruckus-vriot-rce/
  • MITRE ATT&CK mapping: Lateral Movement (TA0008), Exploitation of Remote Services (T1210).
  • ·Exploitation requires prior authentication — unauthenticated requests to the endpoint will not trigger the injection. Ensure detection rules account for authenticated sessions.
  • ·Affected versions are Ruckus vRIoT through 1.5.1.0.21. Verify version scope before deploying detections to avoid false positives on patched or unrelated devices.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.