CVE-2025-69426

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise.

CVSS

No CVSS.

References

Link	Resource
https://support.ruckuswireless.com/security_bulletins/336
https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-ssh-credentials-rce

Configurations

No configuration.

History

15 Apr 2026, 14:34

Type	Values Removed	Values Added
Summary		(es) Las versiones de firmware del controlador IoT Ruckus vRIoT anteriores a 3.0.0.0 (GA) contienen credenciales codificadas para una cuenta de usuario del sistema operativo dentro de un script de inicialización. El servicio SSH es accesible por red sin restricciones basadas en IP. Aunque la configuración deshabilita SCP y la asignación de pseudo-TTY, un atacante puede autenticarse usando las credenciales codificadas y establecer un reenvío de puerto local SSH para acceder al socket de Docker. Al montar el sistema de archivos del host a través de Docker, un atacante puede escapar del contenedor y ejecutar comandos arbitrarios del sistema operativo como root en el controlador vRIoT subyacente, lo que resulta en un compromiso completo del sistema.

09 Jan 2026, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-09 17:15

Updated : 2026-04-15 14:34

NVD link : CVE-2025-69426

Mitre link : CVE-2025-69426

CVE.ORG link : CVE-2025-69426

JSON object : View

Products Affected

No product.

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2025-69426", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-09T17:15:53.997", "references": [{"url": "https://support.ruckuswireless.com/security_bulletins/336", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-ssh-credentials-rce", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-732"}, {"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise."}, {"lang": "es", "value": "Las versiones de firmware del controlador IoT Ruckus vRIoT anteriores a 3.0.0.0 (GA) contienen credenciales codificadas para una cuenta de usuario del sistema operativo dentro de un script de inicializaci\u00f3n. El servicio SSH es accesible por red sin restricciones basadas en IP. Aunque la configuraci\u00f3n deshabilita SCP y la asignaci\u00f3n de pseudo-TTY, un atacante puede autenticarse usando las credenciales codificadas y establecer un reenv\u00edo de puerto local SSH para acceder al socket de Docker. Al montar el sistema de archivos del host a trav\u00e9s de Docker, un atacante puede escapar del contenedor y ejecutar comandos arbitrarios del sistema operativo como root en el controlador vRIoT subyacente, lo que resulta en un compromiso completo del sistema."}], "lastModified": "2026-04-15T14:34:27.800", "sourceIdentifier": "disclosure@vulncheck.com"}