CVE-2025-69425
Published: Jan 9, 2026
Modified: May 14, 2026
Description
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise.
| Vendor | Product | Versions |
|---|---|---|
RUCKUS Networks | vRIoT IoT Controller | affected 2.3.0.0 (GA) - < 3.0.0.0 (GA)affected 2.3.1.0 (MR) - < 3.0.0.0 (GA)affected 2.4.0.0 (GA) - < 3.0.0.0 (GA) |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now