Vulnerability Description
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Commscope | Ruckus Vriot | <= 1.5.1.0.21 |
| Commscope | Ruckus Iot Module | - |
Related Weaknesses (CWE)
References
- https://adepts.of0x.ccThird Party Advisory
- https://adepts.of0x.cc/ruckus-vriot-rce/ExploitThird Party Advisory
- https://support.ruckuswireless.com/documentsVendor Advisory
- https://support.ruckuswireless.com/security_bulletins/305ProductVendor Advisory
- https://twitter.com/TheXC3LLThird Party Advisory
- https://x-c3ll.github.ioThird Party Advisory
- https://adepts.of0x.ccThird Party Advisory
- https://adepts.of0x.cc/ruckus-vriot-rce/ExploitThird Party Advisory
- https://support.ruckuswireless.com/documentsVendor Advisory
- https://support.ruckuswireless.com/security_bulletins/305ProductVendor Advisory
- https://twitter.com/TheXC3LLThird Party Advisory
- https://x-c3ll.github.ioThird Party Advisory
FAQ
What is CVE-2020-26878?
CVE-2020-26878 is a vulnerability with a CVSS score of 8.8 (HIGH). Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be exec...
How severe is CVE-2020-26878?
CVE-2020-26878 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26878?
Check the references section above for vendor advisories and patch information. Affected products include: Commscope Ruckus Vriot, Commscope Ruckus Iot Module.