CVE-2025-44961
BaseFortify
Publication date: 2025-08-04
Last updated on: 2025-11-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| commscope | ruckus_smartzone_firmware | to 6.1.2 (exc) |
| commscope | ruckus_smartzone_firmware | 6.1.2 |
| commscope | ruckus_smartzone_firmware | 6.1.2 |
| commscope | ruckus_smartzone_firmware | 6.1.2 |
| commscope | ruckus_smartzone_firmware | 7.0.0 |
| commscope | ruckus_smartzone_firmware | 7.1.0 |
| commscope | ruckus_virtual_smartzone | * |
| commscope | ruckus_virtual_smartzone-federal | * |
| commscope | ruckus_c110 | * |
| commscope | ruckus_e510 | * |
| commscope | ruckus_h320 | * |
| commscope | ruckus_h350 | * |
| commscope | ruckus_h510 | * |
| commscope | ruckus_m510 | * |
| commscope | ruckus_r320 | * |
| commscope | ruckus_r510 | * |
| commscope | ruckus_r560 | * |
| commscope | ruckus_r610 | * |
| commscope | ruckus_r710 | * |
| commscope | ruckus_r720 | * |
| commscope | ruckus_r730 | * |
| commscope | ruckus_r750 | * |
| commscope | ruckus_smartzone_100 | * |
| commscope | ruckus_smartzone_100-d | * |
| commscope | ruckus_smartzone_144 | * |
| commscope | ruckus_smartzone_144-federal | * |
| commscope | ruckus_smartzone_300 | * |
| commscope | ruckus_smartzone_300-federal | * |
| commscope | ruckus_t310c | * |
| commscope | ruckus_t310d | * |
| commscope | ruckus_t310n | * |
| commscope | ruckus_t310s | * |
| commscope | ruckus_t350se | * |
| commscope | ruckus_t750 | * |
| commscope | ruckus_t750se | * |
| commscope | ruckus_network_director | to 4.5.0.51 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-44961 is a critical OS command injection vulnerability in Ruckus Networks' Virtual SmartZone (vSZ) product before version 6.1.2p3 Refresh Build. An authenticated user can provide an IP address input that is not properly sanitized, allowing them to inject arbitrary operating system commands instead of a valid IP address. This can lead to remote code execution on the affected system. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution by an authenticated user, which can lead to full system compromise. The attacker could execute arbitrary commands with the privileges of the application, potentially resulting in data theft, service disruption, or further network penetration. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual or unauthorized command execution attempts via the IP address input fields in RUCKUS SmartZone (vSZ) management interfaces. Since the vulnerability requires authenticated access, reviewing authentication logs for suspicious activity and inspecting input fields for command injection patterns is recommended. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patches released by Ruckus Networks for the affected SmartZone products. Additionally, restrict access to the wireless management environment to a trusted set of authenticated users and clients, and enforce secure protocols such as HTTPS or SSH for management access to reduce exposure. [1]