CVE-2023-25717
published 2023-02-13CVE-2023-25717: Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-06-02
Exploited in the wild
EPSS
95.11%
99.9th percentile
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| commscope | ruckus_smartzone_firmware | < 5.2.1.3 | 5.2.1.3 |
| commscope | ruckus_smartzone_firmware | < 5.2.1.3.1695 | 5.2.1.3.1695 |
| commscope | ruckus_smartzone_firmware | — | — |
| ruckuswireless | ruckus_wireless_admin | <= 10.4 | — |
| ruckuswireless | smartzone_ap | < 6.1.0.0.9240 | 6.1.0.0.9240 |
| ruckuswireless | smartzone_ap | < 5.2.2.0.2064 | 5.2.2.0.2064 |
| ruckuswireless | smartzone_ap | < 3.6.2.0.795 | 3.6.2.0.795 |
| ruckuswireless | smartzone_ap | < 6.1.1.0.1274 | 6.1.1.0.1274 |
Detection & IOCsextracted from sources · hover to see the quote
path/forms/doLogin
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Ruckus Wireless Admin Remote Code Execution Attempt (CVE 2023-25717)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forms/doLogin?login_username="; startswith; fast_pattern; content:"&password="; distance:0; content:"|24 28|"; distance:0; content:"|29|"; endswith; reference:cve,2023-25717; classtype:attempted-admin; sid:2045783; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_05_19, cve CVE_2023_25717, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|24 28| ... |29|
- →Exploit uses an unauthenticated HTTP GET (and POST per Snort rule) request to /forms/doLogin with shell command injection in the password parameter via $() subshell syntax — look for literal dollar-sign + open-paren bytes (0x24 0x28) in the password field followed by close-paren (0x29) ↗
- →AndoryuBot C2 communication uses SOCKS5 protocol on port 10333 to 45.153.243.39 — alert on outbound SOCKS5 connections from Ruckus AP management IPs to this host/port ↗
- →AndoryuBot dropper script is downloaded from 163.123.142.146 via curl — monitor for outbound HTTP connections from Ruckus APs to this IP ↗
- →Nuclei template matcher: HTTP 302 redirect response combined with interactsh callback containing 'user-agent' and 'curl' in the request confirms successful RCE via CVE-2023-25717
- →Shodan/FOFA queries for exposed Ruckus admin panels: use title:"ruckus wireless" or http.title:"ruckus wireless" to identify internet-facing targets
- →Exploit parameters are consistent: login_username=admin and password field contains $() subshell — the Snort rule triggers on POST to /forms/doLogin?login_username= with bytes 0x24 0x28 ... 0x29 in the password value
- ·The Nuclei PoC template uses an out-of-band interaction (interactsh) to confirm RCE — passive network monitoring alone will not confirm exploitation without observing the callback
- ·The Snort rule (sid:2045783) is scoped to POST method only, but the NVD description and Nuclei template demonstrate exploitation via GET — detections relying solely on POST matching may miss GET-based exploit attempts
- ·The vulnerability affects Ruckus Wireless Admin through version 10.4 and impacts ZoneDirector, SmartZone, and Solo APs — scope of affected devices is broad and includes end-of-life products that may not receive patches ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Multiple Ruckus Wireless Products CSRF and RCE Vulnerability
cisa·2023-05-12·CVSS 9.8
CVE-2023-25717 [CRITICAL] CWE-94 Multiple Ruckus Wireless Products CSRF and RCE Vulnerability
Vulnerability: Multiple Ruckus Wireless Products CSRF and RCE Vulnerability
Affected: Ruckus Wireless Multiple Products
Ruckus Wireless Access Point (AP) software contains an unspecified vulnerability in the web services component. If the web services component is enabled on the AP, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability impacts Ruckus ZoneDirector, SmartZone, and Solo APs.
Required Action: Apply updates per vendor instructions or disconnect product if it is end-of-life.
Notes: https://support.ruckuswireless.com/security_bulletins/315; https://nvd.nist.gov/vuln/detail/CVE-2023-25717
Remediation Due Date: 2023-06-02
GHSA
GHSA-53wx-2f9c-xxxr: Ruckus Wireless Admin through 10
ghsa_unreviewed·2023-02-13
CVE-2023-25717 [CRITICAL] CWE-94 GHSA-53wx-2f9c-xxxr: Ruckus Wireless Admin through 10
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.
VulnCheck
Multiple Ruckus Wireless Products CSRF and RCE Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-25717 [CRITICAL] CWE-94 Multiple Ruckus Wireless Products CSRF and RCE Vulnerability
Multiple Ruckus Wireless Products CSRF and RCE Vulnerability
Ruckus Wireless Access Point (AP) software contains an unspecified vulnerability in the web services component. If the web services component is enabled on the AP, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability impacts Ruckus ZoneDirector, SmartZone, and Solo APs.
Affected: Ruckus Wireless Multiple Products
Required Action: Apply updates per vendor instructions or disconnect product if it is end-of-life.
Exploitation References: https://www.fortinet.com/blog/threat-research/andoryubot-new-botnet-campaign-targets-ruckus-wireless-admin-remote-code-execution-vulnerability-cve-2023-25717; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.js
Suricata
ET EXPLOIT Ruckus Wireless Admin Remote Code Execution Attempt (CVE 2023-25717)
suricata·2023-05-19
CVE-2023-25717 ET EXPLOIT Ruckus Wireless Admin Remote Code Execution Attempt (CVE 2023-25717)
ET EXPLOIT Ruckus Wireless Admin Remote Code Execution Attempt (CVE 2023-25717)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Ruckus Wireless Admin Remote Code Execution Attempt (CVE 2023-25717)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forms/doLogin?login_username="; startswith; fast_pattern; content:"&password="; distance:0; content:"|24 28|"; distance:0; content:"|29|"; endswith; reference:cve,2023-25717; classtype:attempted-admin; sid:2045783; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_05_19, cve CVE_2023_25717, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_05_19, mitre_tactic_id TA0001, mitre_tactic_name
Nuclei
Ruckus Wireless Admin - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-25717 [CRITICAL] Ruckus Wireless Admin - Remote Code Execution
Ruckus Wireless Admin - Remote Code Execution
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request.
Template:
id: CVE-2023-25717
info:
name: Ruckus Wireless Admin - Remote Code Execution
author: parthmalhotra,pdresearch
severity: critical
description: |
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request.
impact: |
Remote code execution vulnerability in Ruckus Wireless Admin allows attackers to execute arbitrary code on the target system.
remediation: |
Apply the latest security patches and updates provided by Ruckus Wireless to mitigate the vulnerability.
reference:
- https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssr
Fortinet
MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF | FortiGuard Labs
blogs_fortinet·2023-12-07
MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF
Initial Infection Vector – Booking.pdf
.NET Executable – adobe.exe
PowerShell Script – down2.ps1
Cx_Freeze Packed File – python.exe
MrAnon Stealer
Conclusion
Fortinet Protections
IOCs
Hostnames
Files:
By Cara Lin | December 07, 2023
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The information collected can be used for future attacks
Severity Level: High
FortiGuard Labs recently identified an email phishing campaign using deceptive booking information to entice victims into clicking on a malicious PDF file. The PDF downloads a .NET executable file created with PowerGUI and then runs a PowerShell script to fetch the final malware, known as MrAnon Stealer. This m
Fortinet
Attackers Distribute Malware via Freeze.rs And SYK Crypter | FortiGuard Labs
blogs_fortinet·2023-08-09
Attackers Distribute Malware via Freeze.rs And SYK Crypter | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Attackers Distribute Malware via Freeze.rs And SYK Crypter
By Cara Lin | August 09, 2023
Affected platforms: Windows
Impacted parties: Any organization
Impact: Controls victim’s device and collects sensitive information
Severity level: Critical
FortiGuard Labs recently detected a new injector written in Rust—one of the fastest-growing programming languages—to inject shellcode and introduce XWorm into a victim’s environment. While Rust is relatively uncommon in malware development, several campaigns have adopted this language since 2019, including Buer loader, Hive, and RansomExx. FortiGuard Labs analysis also revealed a significant increase in injector activity during May 2023, where the shellcode can be encoded with Base64 and can choose from encryption
Fortinet
AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717)b| FortiGuard Labs
blogs_fortinet·2023-05-08·CVSS 9.8
CVE-2023-25717 [CRITICAL] AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717)b| FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717)
By Cara Lin | May 08, 2023
Affected platforms: Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of vulnerable systems
Severity level: Critical
In April, FortiGuard Labs observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). This botnet, known as AndoryuBot, first appeared in February 2023. It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies. Based on our IPS signatures trigger count (Figure 1), this campaign started distributing the current version sometime after mid-April.
https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/https://support.ruckuswireless.com/security_bulletins/315https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/https://support.ruckuswireless.com/security_bulletins/315https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-25717
2023-02-13
Published
2023-05-12
Added to CISA KEV
Exploited in the wild