Vulnerability Description
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise.
Related Weaknesses (CWE)
References
- https://support.ruckuswireless.com/security_bulletins/336
- https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-token
FAQ
What is CVE-2025-69425?
CVE-2025-69425 is a documented vulnerability. The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a har...
How severe is CVE-2025-69425?
CVSS scoring is not yet available for CVE-2025-69425. Check NVD for updates.
Is there a patch for CVE-2025-69425?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.