CVE-2025-69425

EUVD-2026-1705

09.01.2026, 17:15

The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) expose a command execution service on TCP port 2004 running with root privileges. Authentication to this service relies on a hardcoded Time-based One-Time Password (TOTP) secret and an embedded static token. An attacker who extracts these credentials from the appliance or a compromised device can generate valid authentication tokens and execute arbitrary OS commands with root privileges, resulting in complete system compromise.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

https://support.ruckuswireless.com/security_bulletins/336

https://www.vulncheck.com/advisories/ruckus-vriot-iot-controller-hardcoded-tokens-rce