CVE-2025-44960
BaseFortify
Publication date: 2025-08-04
Last updated on: 2025-11-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| commscope | ruckus_smartzone_firmware | to 6.1.2 (exc) |
| commscope | ruckus_smartzone_firmware | 6.1.2 |
| commscope | ruckus_smartzone_firmware | 6.1.2 |
| commscope | ruckus_smartzone_firmware | 6.1.2 |
| commscope | ruckus_smartzone_firmware | 7.0.0 |
| commscope | ruckus_smartzone_firmware | 7.1.0 |
| commscope | ruckus_virtual_smartzone | * |
| commscope | ruckus_virtual_smartzone-federal | * |
| commscope | ruckus_c110 | * |
| commscope | ruckus_e510 | * |
| commscope | ruckus_h320 | * |
| commscope | ruckus_h350 | * |
| commscope | ruckus_h510 | * |
| commscope | ruckus_m510 | * |
| commscope | ruckus_r320 | * |
| commscope | ruckus_r510 | * |
| commscope | ruckus_r560 | * |
| commscope | ruckus_r610 | * |
| commscope | ruckus_r710 | * |
| commscope | ruckus_r720 | * |
| commscope | ruckus_r730 | * |
| commscope | ruckus_r750 | * |
| commscope | ruckus_smartzone_100 | * |
| commscope | ruckus_smartzone_100-d | * |
| commscope | ruckus_smartzone_144 | * |
| commscope | ruckus_smartzone_144-federal | * |
| commscope | ruckus_smartzone_300 | * |
| commscope | ruckus_smartzone_300-federal | * |
| commscope | ruckus_t310c | * |
| commscope | ruckus_t310d | * |
| commscope | ruckus_t310n | * |
| commscope | ruckus_t310s | * |
| commscope | ruckus_t350se | * |
| commscope | ruckus_t750 | * |
| commscope | ruckus_t750se | * |
| commscope | ruckus_network_director | to 4.5.0.51 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an attacker to remotely execute arbitrary code on the affected system with limited privileges but without user interaction. This can lead to full compromise of the system, including unauthorized access, data theft, disruption of services, and potentially further attacks within the network. [1]
Can you explain this vulnerability to me?
CVE-2025-44960 is a critical OS command injection vulnerability in Ruckus Networks' Virtual SmartZone (vSZ) product. It occurs because a user-controlled parameter in an API route is not properly sanitized before being used in an operating system command. This allows an attacker to inject malicious commands that can be executed on the affected system, potentially leading to arbitrary code execution. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring API routes of RUCKUS SmartZone (vSZ) for suspicious or malformed parameters that could be used for OS command injection. Network administrators should look for unusual API requests containing shell metacharacters or payloads attempting command execution. Specific commands are not provided in the resources, but general approaches include inspecting logs for suspicious API calls and using network monitoring tools to detect anomalous traffic targeting the vSZ API endpoints. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patches provided by Ruckus Networks for this vulnerability. Additionally, restrict access to the wireless management environment using the affected products to a trusted set of users and authenticated clients. Ensure that management access is conducted over secure protocols such as HTTPS or SSH to reduce exposure. [1]