CVE-2025-46121

CRITICAL
Published Jul 21, 2025 Modified Aug 5, 2025 CWE-134

Description

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.

CVSS v3.1 Score

9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-134 CWE-134

Affected Products

Vendor Product
ruckuswireless ruckus_unleashed
ruckuswireless ruckus_unleashed
ruckuswireless ruckus_zonedirector
commscope ruckus_c110
commscope ruckus_e510
commscope ruckus_h320
commscope ruckus_h350
commscope ruckus_h510
commscope ruckus_h550
commscope ruckus_m510
commscope ruckus_m510-jp
commscope ruckus_r310
commscope ruckus_r320
commscope ruckus_r350
commscope ruckus_r350e
commscope ruckus_r510
commscope ruckus_r550
commscope ruckus_r560
commscope ruckus_r610
commscope ruckus_r650
commscope ruckus_r670
commscope ruckus_r710
commscope ruckus_r720
commscope ruckus_r730
commscope ruckus_r750
commscope ruckus_r760
commscope ruckus_r770
commscope ruckus_r850
commscope ruckus_t310c
commscope ruckus_t310n
commscope ruckus_t310s
commscope ruckus_t350c
commscope ruckus_t350d
commscope ruckus_t350se
commscope ruckus_t610
commscope ruckus_t670
commscope ruckus_t710
commscope ruckus_t710s
commscope ruckus_t750
commscope ruckus_t750se
commscope ruckus_t811-cm
commscope ruckus_t811-cm_\(non-sfp\)
commscope zonedirector_1200

References

Frequently Asked Questions

What is CVE-2025-46121? +
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller. It has a CVSS v3.1 base score of 9.8 (CRITICAL).
How severe is CVE-2025-46121? +
CVE-2025-46121 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.
What products are affected by CVE-2025-46121? +
CVE-2025-46121 affects products from commscope, ruckuswireless, specifically: ruckus_c110, ruckus_e510, ruckus_h320, ruckus_h350, ruckus_h510, ruckus_h550, ruckus_m510, ruckus_m510-jp, ruckus_r310, ruckus_r320, ruckus_r350, ruckus_r350e, ruckus_r510, ruckus_r550, ruckus_r560, ruckus_r610, ruckus_r650, ruckus_r670, ruckus_r710, ruckus_r720, ruckus_r730, ruckus_r750, ruckus_r760, ruckus_r770, ruckus_r850, ruckus_t310c, ruckus_t310n, ruckus_t310s, ruckus_t350c, ruckus_t350d, ruckus_t350se, ruckus_t610, ruckus_t670, ruckus_t710, ruckus_t710s, ruckus_t750, ruckus_t750se, ruckus_t811-cm, ruckus_t811-cm_\(non-sfp\), ruckus_unleashed, ruckus_zonedirector, zonedirector_1200. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-46121? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2012-10055

ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending …
CVE-2011-10029

Solar FTP Server fails to properly handle format strings passed to the USER command. When a specially crafted string containing …
CVE-2010-10017

WM Downloader version 3.1.2.2 is vulnerable to a buffer overflow when processing a specially crafted .m3u playlist file. The application …
CVE-2024-9129

In versions of Zend Server 8.5 and prior to version 9.2 a format string injection was discovered. Reported by Dylan …
CVE-2025-40600 9.8

Use of Externally-Controlled Format String vulnerability in the SonicOS SSL VPN interface allows a remote unauthenticated attacker to cause service …
CVE-2023-53966 9.8

SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-46121 — free, no signup required.

Start Free Scan