Ruckus vRIoT IoT Controller Command Execution Vulnerability via Hardcoded Tokens

Vulnerability

Patched

A command execution vulnerability has been identified in the Ruckus vRIoT IoT Controller, affecting firmware versions through 2.4.0.0 (GA) and 2.3.1.0 (MR). The vulnerability arises from a command execution service running on TCP port 2004 with root privileges. Authentication for this service is based on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens to execute arbitrary operating system commands with root privileges, leading to complete system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with root privileges, resulting in full control over the affected system.

Remediation

Users are advised to upgrade to Ruckus IoT Controller version 3.0.0.0 (GA) or later.

Added: Jan 9, 2026, 5:25 PM

Updated: Jan 9, 2026, 5:25 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

10.0

exploitability

7.0

remediation

7.7

relevance

1.9

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ruckus vRIoT IoT Controller Command Execution Vulnerability via Hardcoded Tokens

Vulnerability

Impact

Remediation

Affected Products

Ruckus vRIoT IoT Controller

CVSS Scores

References

Vulnerability Rating