Vulnerabilities > CVE-2020-26878 - Missing Authorization vulnerability in Commscope Ruckus Vriot 1.5.1.0.21

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

commscope

CWE-862

critical

NVD

Published: 2020-10-26

Updated: 2021-07-21

Summary

Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.

Vulnerable Configurations

Part	Description	Count
Application	Commscope Commscope Ruckus Vriot - Commscope Ruckus Vriot 1.5.1.0.21	2
Hardware	Commscope Commscope Ruckus IOT Module -	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://adepts.of0x.cc/ruckus-vriot-rce/
https://twitter.com/TheXC3LL
https://support.ruckuswireless.com/security_bulletins/305
https://support.ruckuswireless.com/documents
https://adepts.of0x.cc
https://x-c3ll.github.io