CVE-2025-46120

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-46120
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a remote unauthenticated attacker who can upload a template (e.g., via FTP) to escalate privileges and run arbitrary template code on the controller.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ Exploit Third Party Advisory
https://support.ruckuswireless.com/security_bulletins/330 Product
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:ruckuswireless:ruckus_unleashed:*:*:*:*:*:*:*:*
cpe:2.3:a:ruckuswireless:ruckus_unleashed:*:*:*:*:*:*:*:*
cpe:2.3:a:ruckuswireless:ruckus_zonedirector:*:*:*:*:*:*:*:*
OR cpe:2.3:h:commscope:ruckus_c110:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_e510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h320:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h350:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h550:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_m510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_m510-jp:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r310:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r320:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r350:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r350e:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r550:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r560:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r610:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r650:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r670:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r710:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r720:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r730:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r750:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r760:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r770:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r850:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310c:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310n:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310s:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350c:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350d:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350se:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t610:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t670:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t710:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t710s:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t750:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t750se:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t811-cm:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:zonedirector_1200:-:*:*:*:*:*:*:*
History

05 Aug 2025, 17:18

Type Values Removed Values Added
References () https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ - () https://sector7.computest.nl/post/2025-07-ruckus-unleashed/ - Exploit, Third Party Advisory
References () https://support.ruckuswireless.com/security_bulletins/330 - () https://support.ruckuswireless.com/security_bulletins/330 - Product
First Time Commscope ruckus R750
Commscope ruckus C110
Commscope ruckus R730
Ruckuswireless
Commscope ruckus M510
Commscope ruckus H320
Commscope ruckus T350se
Commscope ruckus T350c
Commscope ruckus R350e
Commscope ruckus R650
Commscope ruckus T310s
Commscope ruckus T670
Commscope ruckus H350
Commscope ruckus R310
Commscope ruckus T710
Commscope ruckus R550
Commscope ruckus R510
Commscope ruckus R560
Commscope ruckus R720
Commscope ruckus T610
Commscope ruckus T750
Commscope ruckus M510-jp
Ruckuswireless ruckus Zonedirector
Commscope ruckus T811-cm \(non-sfp\)
Commscope ruckus R350
Commscope ruckus R850
Commscope ruckus E510
Commscope ruckus T710s
Commscope ruckus R320
Commscope ruckus R670
Ruckuswireless ruckus Unleashed
Commscope ruckus H550
Commscope ruckus R610
Commscope zonedirector 1200
Commscope ruckus R770
Commscope ruckus R710
Commscope ruckus T310c
Commscope ruckus R760
Commscope ruckus T310n
Commscope ruckus T750se
Commscope ruckus H510
Commscope ruckus T350d
Commscope ruckus T811-cm
Commscope
CPE cpe:2.3:h:commscope:ruckus_t350d:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r350e:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310c:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r720:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r670:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r750:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h350:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t811-cm:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t710:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r850:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_e510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_m510-jp:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350se:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r320:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:zonedirector_1200:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t350c:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t710s:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h550:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310s:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t750:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t811-cm_\(non-sfp\):-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r710:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r610:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r760:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t610:-:*:*:*:*:*:*:*
cpe:2.3:a:ruckuswireless:ruckus_zonedirector:*:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r310:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_c110:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r550:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t670:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t310n:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_m510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r510:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r560:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r650:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_t750se:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r350:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r730:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_r770:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:ruckus_h320:-:*:*:*:*:*:*:*
cpe:2.3:a:ruckuswireless:ruckus_unleashed:*:*:*:*:*:*:*:*

23 Jul 2025, 18:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.5 		v2 : unknown
v3 : 9.8
Summary
  • (es) Se descubrió un problema en CommScope Ruckus Unleashed anterior a 200.14.6.1.203 y en Ruckus ZoneDirector, donde una falla de Path-Traversal en la interfaz web permite que el servidor ejecute plantillas EJS proporcionadas por el atacante fuera de los directorios permitidos, lo que permite que un atacante remoto no autenticado que puede cargar una plantilla (por ejemplo, a través de FTP) escale privilegios y ejecute código de plantilla arbitrario en el controlador.

22 Jul 2025, 17:15

Type Values Removed Values Added
References
  • {'url': 'http://commscope.com', 'source': 'cve@mitre.org'}

22 Jul 2025, 16:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
CWE CWE-22

22 Jul 2025, 14:15

Type Values Removed Values Added
Summary (en) An issue was discovered in CommScope Ruckus Unleashed prior to 200.14.6.1.203 and in Ruckus ZoneDirector, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a remote unauthenticated attacker who can upload a template (e.g., via FTP) to escalate privileges and run arbitrary template code on the controller. (en) An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a remote unauthenticated attacker who can upload a template (e.g., via FTP) to escalate privileges and run arbitrary template code on the controller.

21 Jul 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-21 15:15

Updated : 2025-08-05 17:18

NVD link : CVE-2025-46120

Mitre link : CVE-2025-46120

CVE.ORG link : CVE-2025-46120

JSON object : View

Products Affected

commscope

  • ruckus_r670
  • ruckus_h510
  • ruckus_m510
  • ruckus_r650
  • ruckus_r770
  • ruckus_r610
  • ruckus_t350se
  • ruckus_m510-jp
  • ruckus_t811-cm_\(non-sfp\)
  • ruckus_r550
  • ruckus_r720
  • ruckus_c110
  • ruckus_r760
  • zonedirector_1200
  • ruckus_t670
  • ruckus_r750
  • ruckus_r350e
  • ruckus_r350
  • ruckus_r730
  • ruckus_r560
  • ruckus_t710
  • ruckus_r320
  • ruckus_t310n
  • ruckus_e510
  • ruckus_h550
  • ruckus_t811-cm
  • ruckus_r850
  • ruckus_h350
  • ruckus_r510
  • ruckus_t350c
  • ruckus_t610
  • ruckus_t310c
  • ruckus_t750
  • ruckus_r310
  • ruckus_r710
  • ruckus_t310s
  • ruckus_t750se
  • ruckus_t710s
  • ruckus_t350d
  • ruckus_h320

ruckuswireless

  • ruckus_zonedirector
  • ruckus_unleashed
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')