An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.
CVSS
No CVSS.
References
| Link | Resource |
|---|---|
| https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ | Exploit Third Party Advisory |
| https://support.ruckuswireless.com/security_bulletins/330 | Product |
Configurations
Configuration 1 (hide)
| AND |
|
History
05 Aug 2025, 17:18
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Commscope ruckus T811-cm
Commscope ruckus R750 Commscope ruckus R760 Commscope ruckus T610 Commscope ruckus H350 Commscope ruckus M510-jp Commscope Commscope ruckus T710s Commscope ruckus T350se Commscope ruckus R650 Ruckuswireless ruckus Unleashed Commscope ruckus R550 Commscope zonedirector 1200 Commscope ruckus C110 Commscope ruckus R610 Commscope ruckus E510 Commscope ruckus T310s Commscope ruckus R710 Commscope ruckus H550 Commscope ruckus R350e Commscope ruckus T350d Commscope ruckus R510 Commscope ruckus R670 Commscope ruckus R320 Commscope ruckus T310c Commscope ruckus T670 Commscope ruckus T710 Commscope ruckus T750se Commscope ruckus M510 Commscope ruckus H320 Commscope ruckus T350c Commscope ruckus T750 Commscope ruckus H510 Commscope ruckus T811-cm \(non-sfp\) Commscope ruckus R770 Commscope ruckus R730 Commscope ruckus T310n Commscope ruckus R310 Commscope ruckus R720 Commscope ruckus R560 Commscope ruckus R350 Ruckuswireless ruckus Zonedirector Commscope ruckus R850 Ruckuswireless |
|
| References | () https://support.ruckuswireless.com/security_bulletins/330 - Product | |
| References | () https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ - Exploit, Third Party Advisory | |
| CPE | cpe:2.3:h:commscope:ruckus_t811-cm:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r750:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_m510:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r310:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_m510-jp:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r350:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r320:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_h320:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r650:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r510:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t750se:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r760:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:zonedirector_1200:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t350d:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r560:-:*:*:*:*:*:*:* cpe:2.3:a:ruckuswireless:ruckus_unleashed:*:*:*:*:*:*:*:* cpe:2.3:a:ruckuswireless:ruckus_zonedirector:*:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r720:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r550:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t670:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t750:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t710s:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r770:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_h350:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_e510:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t610:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t310c:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t350c:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r850:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t350se:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_h550:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t310n:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r710:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r350e:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r610:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r730:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t710:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_r670:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_c110:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_h510:-:*:*:*:*:*:*:* cpe:2.3:h:commscope:ruckus_t310s:-:*:*:*:*:*:*:* |
22 Jul 2025, 17:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
21 Jul 2025, 15:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-07-21 15:15
Updated : 2025-08-05 17:18
NVD link : CVE-2025-46121
Mitre link : CVE-2025-46121
JSON object : View
Products Affected
commscope
- ruckus_r310
- ruckus_t310n
- ruckus_r320
- ruckus_t710
- ruckus_r710
- ruckus_h510
- ruckus_h320
- ruckus_t310c
- zonedirector_1200
- ruckus_r850
- ruckus_t670
- ruckus_e510
- ruckus_r610
- ruckus_t350c
- ruckus_t310s
- ruckus_r350e
- ruckus_c110
- ruckus_r510
- ruckus_r760
- ruckus_r350
- ruckus_r670
- ruckus_r750
- ruckus_t610
- ruckus_h550
- ruckus_t710s
- ruckus_r730
- ruckus_r720
- ruckus_t750
- ruckus_r770
- ruckus_t811-cm
- ruckus_r550
- ruckus_t750se
- ruckus_m510-jp
- ruckus_m510
- ruckus_r560
- ruckus_r650
- ruckus_h350
- ruckus_t811-cm_\(non-sfp\)
- ruckus_t350se
- ruckus_t350d
ruckuswireless
- ruckus_zonedirector
- ruckus_unleashed
CWE
No CWE.