CVE-2025-69426

Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded SSH Credentials RCE

Assigner: VulnCheck
Reserved: 08.01.2026 Published: 09.01.2026 Updated: 09.01.2026

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 10

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	RUCKUS Networks
Product	vRIoT IOT Controller
Versions	Default: unaffected affected from 2.3.0.0 (GA) to 3.0.0.0 (GA) (excl.) affected from 2.3.1.0 (MR) to 3.0.0.0 (GA) (excl.) affected from 2.4.0.0 (GA) to 3.0.0.0 (GA) (excl.)

Vendor

RUCKUS Networks

Product

vRIoT IOT Controller

Versions

Default: unaffected

affected from 2.3.0.0 (GA) to 3.0.0.0 (GA) (excl.)
affected from 2.3.1.0 (MR) to 3.0.0.0 (GA) (excl.)
affected from 2.4.0.0 (GA) to 3.0.0.0 (GA) (excl.)

Credits

Ivan Racic finder

References

Problem Types