CVE-2025-46122
CRITICALDescription
An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation, enabling a remote attacker to specify a target by MAC address and execute arbitrary commands as root.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| ruckuswireless | ruckus_unleashed |
| ruckuswireless | ruckus_unleashed |
| ruckuswireless | ruckus_zonedirector |
| commscope | ruckus_c110 |
| commscope | ruckus_e510 |
| commscope | ruckus_h320 |
| commscope | ruckus_h350 |
| commscope | ruckus_h510 |
| commscope | ruckus_h550 |
| commscope | ruckus_m510 |
| commscope | ruckus_m510-jp |
| commscope | ruckus_r310 |
| commscope | ruckus_r320 |
| commscope | ruckus_r350 |
| commscope | ruckus_r350e |
| commscope | ruckus_r510 |
| commscope | ruckus_r550 |
| commscope | ruckus_r560 |
| commscope | ruckus_r610 |
| commscope | ruckus_r650 |
| commscope | ruckus_r670 |
| commscope | ruckus_r710 |
| commscope | ruckus_r720 |
| commscope | ruckus_r730 |
| commscope | ruckus_r750 |
| commscope | ruckus_r760 |
| commscope | ruckus_r770 |
| commscope | ruckus_r850 |
| commscope | ruckus_t310c |
| commscope | ruckus_t310n |
| commscope | ruckus_t310s |
| commscope | ruckus_t350c |
| commscope | ruckus_t350d |
| commscope | ruckus_t350se |
| commscope | ruckus_t610 |
| commscope | ruckus_t670 |
| commscope | ruckus_t710 |
| commscope | ruckus_t710s |
| commscope | ruckus_t750 |
| commscope | ruckus_t750se |
| commscope | ruckus_t811-cm |
| commscope | ruckus_t811-cm_\(non-sfp\) |
| commscope | zonedirector_1200 |
References
Frequently Asked Questions
What is CVE-2025-46122? +
How severe is CVE-2025-46122? +
What products are affected by CVE-2025-46122? +
How do I check if I'm vulnerable to CVE-2025-46122? +
Related Vulnerabilities
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments …
launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the …
Honeywell OneWireless Wireless Device Manager (WDM) for the following versions R310.x, R320.x, R321.x, R322.1, R322.2, R323.x, R330.1 contains a command …
Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found …
The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management …
A vulnerability in the web-based management interface of multiple Ligowave devices could allow an authenticated remote attacker to execute arbitrary …