Multiple Ruckus Wireless Products CSRF and RCE Vulnerability

Technical Severity

CVSS v3.1 Metrics

CRITICAL

9.8 / 10

Minimal Risk Critical

Vector Specification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Likelihood

EPSS Prediction

94.24 %

Predictive Probability

Percentile Rank

99.9 th

Documented as more likely to be exploited than 99.9% of known CVEs.

Detection Date

May 12, 2023

Remediation Due

Jun 02, 2023

CISA Catalog Active

Threat Analysis

Ruckus Wireless Access Point (AP) software contains an unspecified vulnerability in the web services component. If the web services component is enabled on the AP, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability impacts Ruckus ZoneDirector, SmartZone, and Solo APs.

Remediation Directive

Apply updates per vendor instructions or disconnect product if it is end-of-life.

Asset Context

Vendor Identity

Ruckus Wireless

Affected Product

Multiple Products

Ransomware Status

Campaign Use Unknown

Weakness Classification

CWE-94

External Intelligence

https://support.ruckuswireless.com/security_bulletins/315

NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2023-25717