The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can escape the container and execute arbitrary OS commands as root on the underlying vRIoT controller, resulting in complete system compromise.
The firmware initialization script contains hardcoded credentials for a system account (CWE-798). The SSH service is available over the network without any IP address-based restrictions. Despite SCP being disabled and pseudo-TTY allocation restrictions, an attacker can authenticate using hardcoded credentials and establish SSH local port forwarding to gain access to the Docker socket. Subsequently, by mounting the host filesystem through Docker, the attacker escapes the container (container escape) and executes arbitrary system commands as root on the vRIoT controller, leading to complete system takeover (CWE-732).
The attacker gains full control over the device with root privileges, meaning complete system compromise — it is possible to read and modify all data, install backdoors, and perform lateral movement in the IoT network.
The firmware must be updated to version 3.0.0.0 (GA) or newer. Additionally, it is recommended to restrict network access to the SSH service using a firewall or ACL, and to isolate the vRIoT controller from untrusted network segments until the patch is applied.
Ruckus vRIoT IoT Controller — all firmware versions prior to 3.0.0.0 (GA)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X