Critical Threat

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'

Remote Code Execution. A parameter in a vSZ API route is user-controlled and not sanitized before being executed in an OS command. An attacker could supply a malicious payload to result in code execution.

No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.