Exploitation Spike Observed for Ruckus Wireless Admin RCE Vulnerability (CVE-2023-25717)

Description

UPDATE - May 8th, 2023: Added a link to a new FortiGuard Labs' blog "AndoryuBot - New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717)".


FortiGuard Labs has recently observed a spike in our detection for the Ruckus Wireless Admin RCE vulnerability (CVE-2023-25717). Ruckus Wireless Admin version 10.4 and earlier are vulnerable affecting multiple Ruckus wireless Access Point (AP) devices. Successful exploitation could result in total compromise of the vulnerable devices.


Why is this Significant?

This is significant because Fortinet telemetry indicates the Ruckus Wireless Admin RCE Vulnerability (CVE-2023-25717) is being exploited in the wild, potentially resulting in attackers taking control of the vulnerable Ruckus wireless AP devices. Also, Proof-of-Concept (PoC) code is publicly available. As such, a patch should be applied as soon as possible.


What is CVE-2023-25717?

CVE-2023-25717 is a Remote Code Execution vulnerability that affects Ruckus Wireless Admin version 10.4 and earlier. The advisory published by Ruckus lists multiple wireless Access Point (AP) devices that are susceptible to the vulnerability. Successful exploitation could result in total compromise of the vulnerable devices.


The vulnerability is due to improper handling of a crafted HTTP request. A remote authenticated attacker could exploit the vulnerability by sending crafted HTTP requests to the target server. Successful exploitation could result in total compromise of the affected devices. The vulnerability has a CVSS base score of 9.8.


Has the Vendor Released an Advisory for CVE-2023-25717?

Yes. Please refer to the Appendix for a link to "Security Bulletin 20230208".


Has the Vendor Released a Patch for CVE-2023-25717?

Yes, a vendor patch is available.


Which Ruckus Devices are Vulnerable to CVE-2023-25717?

The list of affected devices is available in the vendor advisory. Please refer to the Appendix for a link to "Security Bulletin 20230208".


What is the Status of the Protection?

FortiGuard Labs released the following IPS signature in version 23.531 for CVE-2023-25717:

  • Ruckus.Wireless.Admin.Remote.Code.Execution (default action is set to "pass")