Critical Ruckus Wireless Vulnerabilities Exposes Enterprise Wireless Networks

Multiple critical vulnerabilities have been discovered in Ruckus Wireless management products, specifically Virtual SmartZone (vSZ) and Network Director (RND), potentially allowing complete compromise of enterprise wireless environments. 

These vulnerabilities, disclosed on July 8, 2025, affect wireless network management systems that can scale up to 10,000 access points and 150,000 connected clients, making them particularly concerning for large-scale deployments in schools, hospitals, and smart cities.

Key Takeaways
1. Ruckus vSZ and RND vulnerabilities enable authentication bypass, hardcoded secrets exploitation, and remote code execution leading to full system compromise.
2. JWT keys, API keys, SSH keys, and passwords are embedded in software, allowing easy administrator access without complex attacks.
3. Affects management systems controlling up to 10,000 access points and 150,000 clients in enterprise environments like schools and hospitals.
4. Vendor hasn't released fixes; organizations must immediately isolate affected systems to trusted networks with limited access.

Authentication Bypass and Hardcoded Secrets 

The most severe vulnerabilities stem from hardcoded cryptographic secrets embedded within the software architecture. 

CVE-2025-44957 exposes hardcoded JWT signing keys and API keys that enable complete authentication bypass, allowing attackers to gain administrator-level access using HTTP headers and valid API keys. 

Similarly, CVE-2025-44954 represents an unauthenticated remote code execution vulnerability caused by hardcoded default RSA public and private keys in the SSH configuration. 

This vulnerability exploits a built-in user account with root privileges, where the default cryptographic keys are identical across all Ruckus deployments.

Network Director faces comparable issues with CVE-2025-44963, which involves hardcoded JWT secret keys that attackers can exploit to create valid authentication tokens. 

Additionally, CVE-2025-44955 exposes a hardcoded password within the jailed environment designed for device configuration, while CVE-2025-6243 reveals hardcoded SSH public keys for the privileged ‘sshuser’ account.

Remote Code Execution and File Traversal Attacks 

CVE-2025-44960 demonstrates OS command injection through unsanitized user-controlled parameters in vSZ API routes, enabling attackers to execute arbitrary commands. 

CVE-2025-44961 presents another RCE vulnerability where IP address parameters lack proper sanitization, allowing command injection attacks.

CVE-2025-44962 introduces directory traversal capabilities through relative path manipulation, enabling authenticated users to read sensitive files outside designated directories using “../” sequences. 

CVE-2025-44958 compounds these risks by storing passwords in a recoverable format using weak encryption with hardcoded keys, potentially exposing all user credentials if the system is compromised.

Mitigation Strategies

Currently, no vendor patches are available for these vulnerabilities. The CERT Coordination Center recommends implementing strict network isolation for affected Ruckus wireless management environments. 

Network administrators should limit access to trusted users only and ensure these systems operate within isolated management networks. Secure protocols such as HTTPS and SSH should be enforced for all management communications.

These vulnerabilities can be chained together to create sophisticated attack vectors that bypass individual security controls, potentially leading to complete wireless infrastructure compromise. 

Organizations using Ruckus Virtual SmartZone or Network Director should immediately assess their network segmentation and access controls while awaiting vendor remediation.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now