Home

Description

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise.

PUBLISHED Reserved 2026-01-08 | Published 2026-01-09 | Updated 2026-01-09 | Assigner VulnCheck




CRITICAL: 10.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-798 Use of Hard-coded Credentials

Product status

Default status
unaffected

2.3.0.0 (GA) (semver) before 3.0.0.0 (GA)
affected

2.3.1.0 (MR) (semver) before 3.0.0.0 (GA)
affected

2.4.0.0 (GA) (semver) before 3.0.0.0 (GA)
affected

Credits

Ivan Racic finder

References

support.ruckuswireless.com/security_bulletins/336 vendor-advisory patch

www.vulncheck.com/...ontroller-hardcoded-ssh-credentials-rce third-party-advisory

cve.org (CVE-2025-69426)

nvd.nist.gov (CVE-2025-69426)

Download JSON