cbcvebase.
CVE-2021-33216
published 2021-07-07

CVE-2021-33216: An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account.

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.77%
96.0th percentile
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account.

Affected

1 ranges
VendorProductVersion rangeFixed in
commscoperuckus_iot_controller<= 1.7.1.0

Detection & IOCsextracted from sources · hover to see the quote

otherssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q== [email protected]
path./VRIOT/ap-images/authorized_keys
path./VRIOT/ops/ap-images/authorized_keys
processvriotiotupgrade
path/VRIOT/ap-images/authorized_keys
path/usr/bin/rssh
  • Detect SSH authentication attempts using the backdoor account 'vriotiotupgrade' in SSH logs or auth logs on Ruckus IoT Controller appliances.
  • Alert on the presence of the hardcoded RSA public key (key comment: [email protected]) in any authorized_keys file on the system.
  • Monitor for SCP connections (TCP/22) to Ruckus IoT Controller appliances from unexpected external sources, as the backdoor account is restricted to SCP per rssh configuration.
  • Check for the presence of the 'vriotha' local account with password authentication enabled in sshd_config, which may indicate a secondary backdoor account.
  • The installed rssh version 2.3.4 is vulnerable to CVE-2019-3463, CVE-2019-3464, and CVE-2019-1000018 (remote command injection); chain detection for rssh exploitation attempts on the vriotiotupgrade account.
  • ·The backdoor account 'vriotiotupgrade' has PasswordAuthentication disabled; access requires possession of the corresponding SSH private key for the hardcoded RSA public key.
  • ·The rssh configuration only permits 'allowscp', meaning the backdoor is specifically scoped to SCP file transfer — not interactive shell — unless chained with an rssh command injection CVE.
  • ·The identical hardcoded authorized_keys file is present in two separate paths within the OVA/VMDK, both granting the same backdoor access.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.