CVE 10 CRITICAL

Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded Tokens RCE_CVE-2025-69425

January 9, 2026 invoker category_cve
10 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise.

AI Analysis

Hardcoded tokens in Ruckus vRIoT IoT Controller allow for remote code execution with root privileges

Basic Information

ID CVE-2025-69425
Source VulnCheck
Published Jan 9, 2026 at 16:14

Affected Product

Vendor RUCKUS Networks
Product vRIoT IoT Controller
Version 2.3.0.0 (GA)
Affected Versions RUCKUS Networks vRIoT IoT Controller 2.3.0.0 (GA)
RUCKUS Networks vRIoT IoT Controller 2.3.1.0 (MR)
RUCKUS Networks vRIoT IoT Controller 2.4.0.0 (GA)

CWE Classification

CWE-306 CWE-798

AI Assessment

AI Score 10 / 10
AI Severity Critical
Vendor RUCKUS Networks
Product vRIoT IoT Controller
Version 2.3.0.0 (GA), 2.3.1.0 (MR), 2.4.0.0 (GA)

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.