9.8

CVE-2025-46121

Exploit

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.

Data is provided by the National Vulnerability Database (NVD)
RuckuswirelessRuckus Unleashed Version < 200.15.6.212.14
   CommscopeRuckus C110 Version-
   CommscopeRuckus E510 Version-
   CommscopeRuckus H320 Version-
   CommscopeRuckus H350 Version-
   CommscopeRuckus H510 Version-
   CommscopeRuckus H550 Version-
   CommscopeRuckus M510 Version-
   CommscopeRuckus M510-jp Version-
   CommscopeRuckus R310 Version-
   CommscopeRuckus R320 Version-
   CommscopeRuckus R350 Version-
   CommscopeRuckus R350e Version-
   CommscopeRuckus R510 Version-
   CommscopeRuckus R550 Version-
   CommscopeRuckus R560 Version-
   CommscopeRuckus R610 Version-
   CommscopeRuckus R650 Version-
   CommscopeRuckus R670 Version-
   CommscopeRuckus R710 Version-
   CommscopeRuckus R720 Version-
   CommscopeRuckus R730 Version-
   CommscopeRuckus R750 Version-
   CommscopeRuckus R760 Version-
   CommscopeRuckus R770 Version-
   CommscopeRuckus R850 Version-
   CommscopeRuckus T310c Version-
   CommscopeRuckus T310n Version-
   CommscopeRuckus T310s Version-
   CommscopeRuckus T350c Version-
   CommscopeRuckus T350d Version-
   CommscopeRuckus T350se Version-
   CommscopeRuckus T610 Version-
   CommscopeRuckus T670 Version-
   CommscopeRuckus T710 Version-
   CommscopeRuckus T710s Version-
   CommscopeRuckus T750 Version-
   CommscopeRuckus T750se Version-
   CommscopeRuckus T811-cm Version-
   CommscopeZonedirector 1200 Version-
RuckuswirelessRuckus Unleashed Version >= 200.17 < 200.17.7.0.139
   CommscopeRuckus C110 Version-
   CommscopeRuckus E510 Version-
   CommscopeRuckus H320 Version-
   CommscopeRuckus H350 Version-
   CommscopeRuckus H510 Version-
   CommscopeRuckus H550 Version-
   CommscopeRuckus M510 Version-
   CommscopeRuckus M510-jp Version-
   CommscopeRuckus R310 Version-
   CommscopeRuckus R320 Version-
   CommscopeRuckus R350 Version-
   CommscopeRuckus R350e Version-
   CommscopeRuckus R510 Version-
   CommscopeRuckus R550 Version-
   CommscopeRuckus R560 Version-
   CommscopeRuckus R610 Version-
   CommscopeRuckus R650 Version-
   CommscopeRuckus R670 Version-
   CommscopeRuckus R710 Version-
   CommscopeRuckus R720 Version-
   CommscopeRuckus R730 Version-
   CommscopeRuckus R750 Version-
   CommscopeRuckus R760 Version-
   CommscopeRuckus R770 Version-
   CommscopeRuckus R850 Version-
   CommscopeRuckus T310c Version-
   CommscopeRuckus T310n Version-
   CommscopeRuckus T310s Version-
   CommscopeRuckus T350c Version-
   CommscopeRuckus T350d Version-
   CommscopeRuckus T350se Version-
   CommscopeRuckus T610 Version-
   CommscopeRuckus T670 Version-
   CommscopeRuckus T710 Version-
   CommscopeRuckus T710s Version-
   CommscopeRuckus T750 Version-
   CommscopeRuckus T750se Version-
   CommscopeRuckus T811-cm Version-
   CommscopeZonedirector 1200 Version-
RuckuswirelessRuckus Zonedirector Version < 10.5.1.0.279
   CommscopeRuckus C110 Version-
   CommscopeRuckus E510 Version-
   CommscopeRuckus H320 Version-
   CommscopeRuckus H350 Version-
   CommscopeRuckus H510 Version-
   CommscopeRuckus H550 Version-
   CommscopeRuckus M510 Version-
   CommscopeRuckus M510-jp Version-
   CommscopeRuckus R310 Version-
   CommscopeRuckus R320 Version-
   CommscopeRuckus R350 Version-
   CommscopeRuckus R350e Version-
   CommscopeRuckus R510 Version-
   CommscopeRuckus R550 Version-
   CommscopeRuckus R560 Version-
   CommscopeRuckus R610 Version-
   CommscopeRuckus R650 Version-
   CommscopeRuckus R670 Version-
   CommscopeRuckus R710 Version-
   CommscopeRuckus R720 Version-
   CommscopeRuckus R730 Version-
   CommscopeRuckus R750 Version-
   CommscopeRuckus R760 Version-
   CommscopeRuckus R770 Version-
   CommscopeRuckus R850 Version-
   CommscopeRuckus T310c Version-
   CommscopeRuckus T310n Version-
   CommscopeRuckus T310s Version-
   CommscopeRuckus T350c Version-
   CommscopeRuckus T350d Version-
   CommscopeRuckus T350se Version-
   CommscopeRuckus T610 Version-
   CommscopeRuckus T670 Version-
   CommscopeRuckus T710 Version-
   CommscopeRuckus T710s Version-
   CommscopeRuckus T750 Version-
   CommscopeRuckus T750se Version-
   CommscopeRuckus T811-cm Version-
   CommscopeZonedirector 1200 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.65% 0.699
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-134 Use of Externally-Controlled Format String

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.