216.73.217.174

CVE-2025-69425

· Published 09/01/2026 17:15 · Modified 09/01/2026 17:15

Labels: CVE-2025-69425 2026-01-09CVE-2025-69425CWE-306[email protected]

Essential information

Published
09/01/2026 17:15
Modified
09/01/2026 17:15
Author
Creator
CVSS
10.0 CRITICAL (v3) 10.0 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
ruckus / vriot iot controller cpe:2.3:a:ruckus:vriot_iot_controller:<3.0.0.0:ga:*:*:*:*:*:*

References