🔐 CVE Alert

CVE-2025-69425

UNKNOWN 0.0

Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded Tokens RCE

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
15th

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise.

CWE CWE-306 CWE-798
Vendor ruckus networks
Product vriot iot controller
Published Jan 9, 2026
Last Updated May 14, 2026
Stay Ahead of the Next One

Get instant alerts for ruckus networks vriot iot controller

Be the first to know when new unknown vulnerabilities affecting ruckus networks vriot iot controller are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

RUCKUS Networks / vRIoT IoT Controller
2.3.0.0 (GA) < 3.0.0.0 (GA) 2.3.1.0 (MR) < 3.0.0.0 (GA) 2.4.0.0 (GA) < 3.0.0.0 (GA)

References

NVD ↗ CVE.org ↗ EPSS Data ↗
support.ruckuswireless.com: https://support.ruckuswireless.com/security_bulletins/336 vulncheck.com: https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-tokens-rce

Credits

Ivan Racic