Critical unpatched vulnerabilities reported in Ruckus Wireless Management Systems
Take action: If you have Ruckus Virtual SmartZone or Network Director systems, immediately isolate them from untrusted networks and the internet. Restrict access to only essential trusted administrators using secure protocols. Contact CommScope/Ruckus directly for patches.
Learn More
Myltiple vulnerabilities are reported in the Ruckus Networks systems that. The vulnerabilities affect Virtual SmartZone (vSZ) and Ruckus Network Director (RND), two wireless management platforms that control large-scale Wi-Fi infrastructures in schools, hospitals, smart cities, and corporate environments.
The vulnerabilities were discovered by cybersecurity researcher Noam Moshe from Claroty's Team82 research division and reported to Carnegie Mellon University's CERT Coordination Center (CERT/CC).
Vulnerabilities summary:
Specific CVSS scores have not been calculated, but CERT/CC warns that the flaws have a broad impact, are easily exploitable and can be chained together for more damage.
- CVE-2025-44957 – Hardcoded secrets in Virtual SmartZone, including JWT signing keys and API keys, allowing authentication bypass and administrator-level access through crafted HTTP headers
- CVE-2025-44962 – Path traversal vulnerability in Virtual SmartZone enabling authenticated users to read arbitrary files outside designated directories using "../" sequences
- CVE-2025-44954 – Hardcoded default public and private SSH keys in Virtual SmartZone that allow unauthenticated remote code execution with root privileges for anyone possessing the private key
- CVE-2025-44960 – OS command injection in Virtual SmartZone through unsanitized user-controlled parameters in API routes, allowing execution of arbitrary operating system commands
- CVE-2025-44961 – Command injection vulnerability in Virtual SmartZone where authenticated users can supply unsanitized IP addresses to OS commands, enabling remote code execution
- CVE-2025-44963 – Hardcoded JWT secret key in Ruckus Network Director's backend web server, allowing attackers to forge valid administrative session tokens and bypass authentication
- CVE-2025-44955 – Weak hardcoded password protecting a "jailed" environment in Ruckus Network Director with built-in jailbreak functionality for gaining root access
- CVE-2025-6243 – Hardcoded SSH public and private keys for a root-privileged user account (sshuser) in Ruckus Network Director, providing unauthorized root access
- CVE-2025-44958 – Weak encryption of stored passwords in Ruckus Network Director using hardcoded secret keys, allowing password recovery in plaintext if the system is compromised
Neither CERT/CC nor the researcher have been able to contact Ruckus Wireless (now Ruckus Networks) or its parent company CommScope about these issues.
Currently, no patches or fixes are available for any of these vulnerabilities. CERT/CC recommends that network administrators limit access to wireless management environments that use these affected products, allowing only a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via secure protocols such as HTTPS or SSH,
Organizations currently using affected Ruckus products,should implement mitigating actions ASAP and reach out to the vendor for patches.
