Ddos 
A pair of critical security vulnerabilities has been disclosed in the Ruckus vRIoT IoT Controller, the central brain for managing enterprise IoT devices. Both flaws carry the maximum possible CVSS score of 10.0, indicating that they are easy to exploit and result in total system compromise.
The vulnerabilities, tracked as CVE-2025-69425 and CVE-2025-69426, stem from a failure to secure internal authentication mechanisms. In both cases, developers left hardcoded keys that attackers can use to bypass security and seize root privileges.
The flaws affect all Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA).
CVE-2025-69425: The Port 2004 Backdoor
The first flaw involves a command execution service listening on TCP port 2004. This service runs with root privileges, making it a high-value target.
While the service implements authentication, the mechanism is fundamentally flawed. It relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. Because these secrets are hardcoded into the appliance, an attacker who extracts them (from a compromised device or firmware analysis) can generate valid tokens at will.
Armed with these tokens, an attacker can connect to port 2004 and execute arbitrary OS commands as root, taking full control of the controller.
CVE-2025-69426: The SSH Docker Escape
The second vulnerability is a masterclass in how partial restrictions can fail. It begins with hardcoded credentials for an operating system user account found inside an initialization script.
While the SSH configuration for this account attempts to restrict access (disabling SCP and pseudo-TTY allocation), it leaves the network door open. An attacker using the hardcoded credentials can authenticate via SSH and establish local port forwarding.
The attack path is ingenious:
- Authenticate: Log in using the hardcoded credentials.
- Tunnel: Use SSH port forwarding to access the internal Docker socket.
- Escape: By issuing Docker commands through the tunnel, the attacker can mount the host’s filesystem into a new container.
- Compromise: From within that container, they can modify the host OS, effectively escaping the sandbox and executing commands as root on the underlying vRIoT controller.
Remediation
These are “game-over” vulnerabilities for any exposed controller. Ruckus has addressed both issues in firmware version 3.0.0.0 (GA). Administrators are urged to upgrade immediately to remove the hardcoded credentials and close these attack vectors.
Related Posts:
- Ruckus Networks Issues Security Advisory for Critical RCE Vulnerability in Access Points
- Ruckus Wireless Exposed: 9 Critical Vulnerabilities Leave Wi-Fi Management Systems Wide Open, No Patch!
- AndoryuBot: The Emerging Botnet Exploiting Ruckus Vulnerability
- Hardcoded Cloud Credentials Found in Popular Mobile Apps: A Major Security Flaw
- Chrome Extension Security Alert: Hidden API Keys Expose 21M+ Users to Risk!
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
