CVE DATABASE / CVE-2023-25717
CVE-2023-25717
Multiple Ruckus Wireless Products CSRF and RCE Vulnerability
CVSS 9.8 · CRITICAL
⚠ CISA KEV — ACTIVELY EXPLOITED
On the CISA KEV catalog
Confirmed exploited in the wild. Added 2023-05-12.
Federal remediation due 2023-06-02.
Required action: Apply updates per vendor instructions or disconnect product if it is end-of-life.
Summary
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Ruckuswireless ruckus wireless adminRuckuswireless smartzone apRuckuswireless e510Ruckuswireless h320Ruckuswireless h350Ruckuswireless h510Ruckuswireless h550Ruckuswireless m510Ruckuswireless r310Ruckuswireless r320Ruckuswireless r350Ruckuswireless r510Ruckuswireless r550Ruckuswireless r610Ruckuswireless r650Ruckuswireless r710Ruckuswireless r720Ruckuswireless r730Ruckuswireless r750Ruckuswireless r760
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/
- https://support.ruckuswireless.com/security_bulletins/315
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-25717
Data: NIST NVD + CISA KEV. NVD last modified 2025-11-03. Always verify against the vendor advisory before acting.