The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise.
The service listening on TCP port 2004 requires authentication based on Time-based One-Time Password (TOTP), however the TOTP secret and static token embedded in the software are identical across all devices (CWE-798 – hardcoded credentials). There is no identity verification mechanism dependent on administrator configuration (CWE-306 – missing authentication for critical function). After extracting this data from firmware or a compromised device, an attacker can independently generate valid authentication tokens and send arbitrary OS commands to the service. The service operates with root privileges, meaning there are no restrictions on the scope of performed operations.
Attacker gains full control of the device with root privileges, enabling execution of arbitrary operating system commands, configuration modification, installation of backdoors, and further actions within the network (lateral movement).
Update Ruckus vRIoT IoT Controller firmware to version 3.0.0.0 (GA) or newer. Until the patch is deployed, it is recommended to restrict access to TCP port 2004 at the firewall level exclusively to trusted administrative hosts. Details available in the vendor's security bulletin: https://support.ruckuswireless.com/security_bulletins/336
Ruckus vRIoT IoT Controller – firmware versions prior to 3.0.0.0 (GA)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X