Volerion logoVolerion
Volerion logoVolerion

CommScope Ruckus Unleashed Format String Vulnerability in DHCP Hostname Handling Allows Remote Code Execution

Vulnerability

A format string vulnerability has been identified in CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 and 200.17.7.0.139. The issue arises in the 'stamgr_cfg_adpt_addStaFavourite' and 'stamgr_cfg_adpt_addStaIot' functions, where client hostnames are passed directly to 'snprintf' as format strings. This flaw can be exploited by sending a crafted DHCP request from a device connected to the guest WiFi network, spoofing the MAC address of a favorite station. The vulnerability allows for unauthorized format string processing, leading to arbitrary code execution on the affected controller.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected Ruckus Unleashed controller.

Reproduction

To reproduce this vulnerability, first mark a client as a favorite through the Ruckus Unleashed management interface. Then, connect a device to the guest WiFi network and spoof the MAC address of the favorite station. Send a DHCP request with format string specifiers embedded in the hostname field. The controller will process the request, leading to code execution.

Remediation

Users are advised to update to Ruckus Unleashed versions 200.18.7.1.323 or later, and to ZoneDirector version 10.5.1.0.282 or later. After updating, revoke and regenerate any custom SSL certificates and private keys.

Added: Jul 21, 2025, 3:34 PM
Updated: Jul 21, 2025, 3:34 PM

Vulnerability Rating

Custom Algorithm
spread
4.5
impact
7.5
exploitability
9.1
remediation
7.7
relevance
0.3
threat
6.5
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.