Ruckus Unleashed/ZoneDirector Format-String RCE via /admin/_conf.jsp
CVE-2025-46123 Published on July 21, 2025

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest password to memory with snprintf using the attacker-supplied value as the format string; a crafted password therefore triggers uncontrolled format-string processing and enables remote code execution on the controller.

NVD

Vulnerability Analysis

CVE-2025-46123 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Use of Externally-Controlled Format String

The software uses a function that accepts a format string as an argument, but the format string originates from an external source.


Products Associated with CVE-2025-46123

stack.watch emails you whenever new vulnerabilities are published in Ruckuswireless Ruckus Unleashed or Ruckuswireless Ruckus Zonedirector. Just hit a watch button to start following.

Ruckuswireless Ruckus Unleashed
 
Ruckuswireless Ruckus Zonedirector
 

Exploit Probability

EPSS
3.59%
Percentile
87.92%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.