Vulnerability Details CVE-2025-46121
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 60.9%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2025-46121
-
cpe:2.3:a:ruckuswireless:ruckus_unleashed:*
-
cpe:2.3:a:ruckuswireless:ruckus_zonedirector:*
-
cpe:2.3:h:commscope:ruckus_c110:-
-
cpe:2.3:h:commscope:ruckus_e510:-
-
cpe:2.3:h:commscope:ruckus_h320:-
-
cpe:2.3:h:commscope:ruckus_h350:-
-
cpe:2.3:h:commscope:ruckus_h510:-
-
cpe:2.3:h:commscope:ruckus_h550:-
-
cpe:2.3:h:commscope:ruckus_m510-jp:-
-
cpe:2.3:h:commscope:ruckus_m510:-
-
cpe:2.3:h:commscope:ruckus_r310:-
-
cpe:2.3:h:commscope:ruckus_r320:-
-
cpe:2.3:h:commscope:ruckus_r350:-
-
cpe:2.3:h:commscope:ruckus_r350e:-
-
cpe:2.3:h:commscope:ruckus_r510:-
-
cpe:2.3:h:commscope:ruckus_r550:-
-
cpe:2.3:h:commscope:ruckus_r560:-
-
cpe:2.3:h:commscope:ruckus_r610:-
-
cpe:2.3:h:commscope:ruckus_r650:-
-
cpe:2.3:h:commscope:ruckus_r670:-
-
cpe:2.3:h:commscope:ruckus_r710:-
-
cpe:2.3:h:commscope:ruckus_r720:-
-
cpe:2.3:h:commscope:ruckus_r730:-
-
cpe:2.3:h:commscope:ruckus_r750:-
-
cpe:2.3:h:commscope:ruckus_r760:-
-
cpe:2.3:h:commscope:ruckus_r770:-
-
cpe:2.3:h:commscope:ruckus_r850:-
-
cpe:2.3:h:commscope:ruckus_t310c:-
-
cpe:2.3:h:commscope:ruckus_t310n:-
-
cpe:2.3:h:commscope:ruckus_t310s:-
-
cpe:2.3:h:commscope:ruckus_t350c:-
-
cpe:2.3:h:commscope:ruckus_t350d:-
-
cpe:2.3:h:commscope:ruckus_t350se:-
-
cpe:2.3:h:commscope:ruckus_t610:-
-
cpe:2.3:h:commscope:ruckus_t670:-
-
cpe:2.3:h:commscope:ruckus_t710:-
-
cpe:2.3:h:commscope:ruckus_t710s:-
-
cpe:2.3:h:commscope:ruckus_t750:-
-
cpe:2.3:h:commscope:ruckus_t750se:-
-
cpe:2.3:h:commscope:ruckus_t811-cm:-
-
cpe:2.3:h:commscope:ruckus_t811-cm_(non-sfp):-
-
cpe:2.3:h:commscope:zonedirector_1200:-