CVE-2025-69425

Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded Tokens RCE

Assigner: VulnCheck
Reserved: 08.01.2026 Published: 09.01.2026 Updated: 09.01.2026

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 10

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	RUCKUS Networks
Product	vRIoT IoT Controller
Versions	Default: unaffected affected from 2.3.0.0 (GA) to 3.0.0.0 (GA) (excl.) affected from 2.3.1.0 (MR) to 3.0.0.0 (GA) (excl.) affected from 2.4.0.0 (GA) to 3.0.0.0 (GA) (excl.)

Vendor

RUCKUS Networks

Product

vRIoT IoT Controller

Versions

Default: unaffected

affected from 2.3.0.0 (GA) to 3.0.0.0 (GA) (excl.)
affected from 2.3.1.0 (MR) to 3.0.0.0 (GA) (excl.)
affected from 2.4.0.0 (GA) to 3.0.0.0 (GA) (excl.)

Credits

Ivan Racic finder

References

Problem Types