CVE-2025-46120

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a remote unauthenticated attacker who can upload a template (e.g., via FTP) to escalate privileges and run arbitrary template code on the controller.

CVSS

No CVSS.

References

Link	Resource
https://sector7.computest.nl/post/2025-07-ruckus-unleashed/	Exploit Third Party Advisory
https://support.ruckuswireless.com/security_bulletins/330	Product

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:ruckuswireless:ruckus_unleashed::::::::
	cpe:2.3:a:ruckuswireless:ruckus_unleashed::::::::
	cpe:2.3:a:ruckuswireless:ruckus_zonedirector::::::::

OR	cpe:2.3:h:commscope:ruckus_c110:-:::::::*
	cpe:2.3:h:commscope:ruckus_e510:-:::::::*
	cpe:2.3:h:commscope:ruckus_h320:-:::::::*
	cpe:2.3:h:commscope:ruckus_h350:-:::::::*
	cpe:2.3:h:commscope:ruckus_h510:-:::::::*
	cpe:2.3:h:commscope:ruckus_h550:-:::::::*
	cpe:2.3:h:commscope:ruckus_m510:-:::::::*
	cpe:2.3:h:commscope:ruckus_m510-jp:-:::::::*
	cpe:2.3:h:commscope:ruckus_r310:-:::::::*
	cpe:2.3:h:commscope:ruckus_r320:-:::::::*
	cpe:2.3:h:commscope:ruckus_r350:-:::::::*
	cpe:2.3:h:commscope:ruckus_r350e:-:::::::*
	cpe:2.3:h:commscope:ruckus_r510:-:::::::*
	cpe:2.3:h:commscope:ruckus_r550:-:::::::*
	cpe:2.3:h:commscope:ruckus_r560:-:::::::*
	cpe:2.3:h:commscope:ruckus_r610:-:::::::*
	cpe:2.3:h:commscope:ruckus_r650:-:::::::*
	cpe:2.3:h:commscope:ruckus_r670:-:::::::*
	cpe:2.3:h:commscope:ruckus_r710:-:::::::*
	cpe:2.3:h:commscope:ruckus_r720:-:::::::*
	cpe:2.3:h:commscope:ruckus_r730:-:::::::*
	cpe:2.3:h:commscope:ruckus_r750:-:::::::*
	cpe:2.3:h:commscope:ruckus_r760:-:::::::*
	cpe:2.3:h:commscope:ruckus_r770:-:::::::*
	cpe:2.3:h:commscope:ruckus_r850:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310c:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310n:-:::::::*
	cpe:2.3:h:commscope:ruckus_t310s:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350c:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350d:-:::::::*
	cpe:2.3:h:commscope:ruckus_t350se:-:::::::*
	cpe:2.3:h:commscope:ruckus_t610:-:::::::*
	cpe:2.3:h:commscope:ruckus_t670:-:::::::*
	cpe:2.3:h:commscope:ruckus_t710:-:::::::*
	cpe:2.3:h:commscope:ruckus_t710s:-:::::::*
	cpe:2.3:h:commscope:ruckus_t750:-:::::::*
	cpe:2.3:h:commscope:ruckus_t750se:-:::::::*
	cpe:2.3:h:commscope:ruckus_t811-cm:-:::::::*
	cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:::::::*
	cpe:2.3:h:commscope:zonedirector_1200:-:::::::*

History

05 Aug 2025, 17:18

Type	Values Removed	Values Added
CPE		cpe:2.3:h:commscope:ruckus_t811-cm:-:::::::* cpe:2.3:h:commscope:ruckus_r750:-:::::::* cpe:2.3:h:commscope:ruckus_m510:-:::::::* cpe:2.3:h:commscope:ruckus_r310:-:::::::* cpe:2.3:h:commscope:ruckus_m510-jp:-:::::::* cpe:2.3:h:commscope:ruckus_r350:-:::::::* cpe:2.3:h:commscope:ruckus_r320:-:::::::* cpe:2.3:h:commscope:ruckus_h320:-:::::::* cpe:2.3:h:commscope:ruckus_r650:-:::::::* cpe:2.3:h:commscope:ruckus_r510:-:::::::* cpe:2.3:h:commscope:ruckus_t750se:-:::::::* cpe:2.3:h:commscope:ruckus_r760:-:::::::* cpe:2.3:h:commscope:zonedirector_1200:-:::::::* cpe:2.3:h:commscope:ruckus_t350d:-:::::::* cpe:2.3:h:commscope:ruckus_r560:-:::::::* cpe:2.3:a:ruckuswireless:ruckus_unleashed:::::::: cpe:2.3:a:ruckuswireless:ruckus_zonedirector:::::::: cpe:2.3:h:commscope:ruckus_r720:-:::::::* cpe:2.3:h:commscope:ruckus_r550:-:::::::* cpe:2.3:h:commscope:ruckus_t670:-:::::::* cpe:2.3:h:commscope:ruckus_t750:-:::::::* cpe:2.3:h:commscope:ruckus_t710s:-:::::::* cpe:2.3:h:commscope:ruckus_r770:-:::::::* cpe:2.3:h:commscope:ruckus_h350:-:::::::* cpe:2.3:h:commscope:ruckus_e510:-:::::::* cpe:2.3:h:commscope:ruckus_t610:-:::::::* cpe:2.3:h:commscope:ruckus_t310c:-:::::::* cpe:2.3:h:commscope:ruckus_t350c:-:::::::* cpe:2.3:h:commscope:ruckus_r850:-:::::::* cpe:2.3:h:commscope:ruckus_t350se:-:::::::* cpe:2.3:h:commscope:ruckus_h550:-:::::::* cpe:2.3:h:commscope:ruckus_t310n:-:::::::* cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:::::::* cpe:2.3:h:commscope:ruckus_r710:-:::::::* cpe:2.3:h:commscope:ruckus_r350e:-:::::::* cpe:2.3:h:commscope:ruckus_r610:-:::::::* cpe:2.3:h:commscope:ruckus_r730:-:::::::* cpe:2.3:h:commscope:ruckus_t710:-:::::::* cpe:2.3:h:commscope:ruckus_r670:-:::::::* cpe:2.3:h:commscope:ruckus_c110:-:::::::* cpe:2.3:h:commscope:ruckus_h510:-:::::::* cpe:2.3:h:commscope:ruckus_t310s:-:::::::*
First Time		Commscope ruckus T811-cm Commscope ruckus R750 Commscope ruckus R760 Commscope ruckus T610 Commscope ruckus H350 Commscope ruckus M510-jp Commscope Commscope ruckus T710s Commscope ruckus T350se Commscope ruckus R650 Ruckuswireless ruckus Unleashed Commscope ruckus R550 Commscope zonedirector 1200 Commscope ruckus C110 Commscope ruckus R610 Commscope ruckus E510 Commscope ruckus T310s Commscope ruckus R710 Commscope ruckus H550 Commscope ruckus R350e Commscope ruckus T350d Commscope ruckus R510 Commscope ruckus R670 Commscope ruckus R320 Commscope ruckus T310c Commscope ruckus T670 Commscope ruckus T710 Commscope ruckus T750se Commscope ruckus M510 Commscope ruckus H320 Commscope ruckus T350c Commscope ruckus T750 Commscope ruckus H510 Commscope ruckus T811-cm \(non-sfp\) Commscope ruckus R770 Commscope ruckus R730 Commscope ruckus T310n Commscope ruckus R310 Commscope ruckus R720 Commscope ruckus R560 Commscope ruckus R350 Ruckuswireless ruckus Zonedirector Commscope ruckus R850 Ruckuswireless
References	~~() https://support.ruckuswireless.com/security_bulletins/330 -~~	() https://support.ruckuswireless.com/security_bulletins/330 - Product
References	~~() https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ -~~	() https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ - Exploit, Third Party Advisory

22 Jul 2025, 17:15

Type	Values Removed	Values Added
References	~~{'url': 'http://commscope.com', 'name': 'http://commscope.com', 'tags': [], 'refsource': ''}~~

22 Jul 2025, 14:15

Type	Values Removed	Values Added
Summary	An issue was discovered in CommScope Ruckus Unleashed prior to 200.14.6.1.203 and in Ruckus ZoneDirector, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a remote unauthenticated attacker who can upload a template (e.g., via FTP) to escalate privileges and run arbitrary template code on the controller.	An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a remote unauthenticated attacker who can upload a template (e.g., via FTP) to escalate privileges and run arbitrary template code on the controller.

21 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-21 15:15

Updated : 2025-08-05 17:18

NVD link : CVE-2025-46120

Mitre link : CVE-2025-46120

JSON object : View

Products Affected

commscope

ruckus_r310
ruckus_t310n
ruckus_r320
ruckus_t710
ruckus_r710
ruckus_h510
ruckus_h320
ruckus_t310c
zonedirector_1200
ruckus_r850
ruckus_t670
ruckus_e510
ruckus_r610
ruckus_t350c
ruckus_t310s
ruckus_r350e
ruckus_c110
ruckus_r510
ruckus_r760
ruckus_r350
ruckus_r670
ruckus_r750
ruckus_t610
ruckus_h550
ruckus_t710s
ruckus_r730
ruckus_r720
ruckus_t750
ruckus_r770
ruckus_t811-cm
ruckus_r550
ruckus_t750se
ruckus_m510-jp
ruckus_m510
ruckus_r560
ruckus_r650
ruckus_h350
ruckus_t811-cm_\(non-sfp\)
ruckus_t350se
ruckus_t350d

ruckuswireless

ruckus_zonedirector
ruckus_unleashed

CWE

No CWE.

JSON object

Attach tags to CVE-2025-46120

Attach tags to `CVE-2025-46120`