RCE/CSRF - RUCKUS Technical Support Response Center
This page is the primary resource for RUCKUS Networks, CommScope customers and partners to address the RUCKUS AP Web Vulnerability (RCE/CSRF) security vulnerability. This page acts as a central home for support links and content to provide more information about the vulnerability, and other technical resources to assist you with the response to the RCE/CSRF vulnerability.
Security Bulletin, FAQs, and Knowledge Base
- Security Bulletin CVE-2023-25717: RUCKUS AP Web Vulnerability (RCE/CSRF)
- Signed TXT file and PDF formats also available without login on https://www.ruckusnetworks.com/support/security-bulletins
- Applicable CVE: CVE-2023-25717
- RCE/CSRF Vulnerability FAQs
- Q: What if I don’t have an active Support contract with RUCKUS – will I be able to upgrade my software?
A: Yes. You will be able to obtain the patches that are available for your platform even if you don’t have a current support contract. At this time, a limited time manual support entitlement (1 day validity) will be provided, if your controller falls into the eligibility criteria for the upgrade. - Q: What is the eligibility criteria to get one time support exception?
A: Your Controller (Not Access Point version) should be on a version which is impacted. Access Point model(s) for which you want to apply the fix should be supported by the recommended firmware version. - Q: Post upgrade if I am facing any issues (other than controller/AP firmware upgrade) with my controller/Access points, am I eligible to get support?
A: No, limited time support entitlement is valid only for the upgrade assistance, no additional issues can be reported under limited time support entitlement. We strongly recommend you to purchase the support entitlement for your devices to get all the support benefits.
- Q: What if I don’t have an active Support contract with RUCKUS – will I be able to upgrade my software?
RCE/CSRF Technical Resources
RUCKUS Resources
- RUCKUS Community Discussion: [CVE-2023-25717] RCE/CSRF
Industry Technical Response and Communications
- RCE/CSRF @ NIST: CVE-2023-25717
RCE/CSRF Security Patch Release Schedules - last updated 18 May 2023
| Platform | Product Vulnerable? | Software | Resolution |
| Vulnerable Release | |||
| SmartZone and Virtual SmartZone | Yes | 5.2.x and earlier versions | Upgrade to 5.2.2MR2 or later release |
| RUCKUS SmartZone (FIPS> and Virtual SmartZone (FIPS) | Yes | 5.1.2.3 and older |
5.2.1.3 and later versions |
| ZoneDirector |
Yes | 10.4.0 and earlier |
Upgrade to 10.4.1.257 (GA Refresh 4) or later |
| Access Points - Indoor and Outdoor |
Yes | 114.0.0.0.5562 and earlier |
Upgrade to 114.0.0.0.6565 or later |
| Cloudpath |
No | Not Applicable | Not Applicable |
| RUCKUS Network Director (RND) |
No | Not Applicable |
Not Applicable |
| Unleashed and Unleashed Multi-Site Manager (UMM) |
No | Not Vulnerable | Not Applicable |
| SPoT/vSPoT | No | Not Applicable |
Not Applicable |
| SmartZone Data Plane and Virtual SmartZone Data Plane | No | Not Applicable |
Not Applicable |
| RUCKUS Analytics | No | Not Applicable |
Not Applicable |
| Mobile Apps | No | Not Applicable |
Not Applicable |
| RUCKUS LTE (CBRS) | No | Not Vulnerable |
Not Applicable |
| ICX Switches | No | Not Applicable |
Not Applicable |
| FlexMaster | No | Not Applicable |
Not Applicable |
| IoT | No | Not Applicable |
Not Applicable |
| RUCKUS Cloud | No | Not Applicable |
Not Applicable |
| SCI | No | Not Applicable |
Not Applicable |
RUCKUS Engineering and TAC have continued to support security fixes for the 802.11ac Wave 1 and 802.11n Access Points on a best-effort basis for models which are now past their End of Maintenance (EOM) dates and End of Support dates.
We are several years past the EOM dates for the 802.11n access points, and nearly all 802.11n access points have reached or will reach their End of Support date (four years after EOM date)* on or before 31 December 2021. At this time, there is no fix planned for EOL devices. We advise customers to use the workaround as it is equally effective.
Due to the increasing-age of both the 802.11ac Wave 1 APs and the 802.11n APs, RUCKUS recommends upgrading to newer Access Points. Replacement APs are detailed at https://www.ruckusnetworks.com/products/wireless-access-points
* Most models reached their EOM dates between 2014 and 2018, with the latest EOM date as 30 April 2020 for the 7781-CM. More than half of the 11n APs have also reached End of Support dates by 31 January 2021 or earlier (2942, 7962, 7341, 7343, 7351, 7363, 7025, 7441, 7762-AC, 7762-S, 7762-T, 7761-CM, 7321), with most of the remaining AP models reaching End of Support on 31 December 2021 (7731, 7782, 7782-N, 7782-S, 7782-E, 7982, 7372, 7352, 7055), except the R300 (End of Support on 1 November 2022) and the 7781-CM (End of Support on 30 April 2024).
CommScope RUCKUS End of Life policy and milestone dates documentation are available at https://support.ruckuswireless.com/product_families/4-eol-ruckus-products