Introduction
Compromise of a wireless network controller can give attackers sweeping control over thousands of access points and hundreds of thousands of clients. CVE-2025-44957 is a critical authentication bypass in Ruckus SmartZone controllers that can enable this scenario, allowing attackers to gain administrative access using only a valid API key and crafted HTTP headers.
About Ruckus Networks and SmartZone: Ruckus Networks, a CommScope company, is a major provider of enterprise wireless networking solutions. Their SmartZone and Virtual SmartZone (vSZ) platforms are widely used to centrally manage large Wi-Fi deployments in education, healthcare, hospitality, and public venues. A single SmartZone controller can manage up to 10,000 access points and 150,000 clients, making it a high-value target for attackers.
Technical Information
CVE-2025-44957 is a result of hardcoded JWT signing keys and API keys within the Ruckus SmartZone and Virtual SmartZone software, affecting versions before 6.1.2p3 Refresh Build. The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel). Attackers who possess or discover a valid API key and the hardcoded JWT signing key can craft HTTP requests with specific headers that the controller will accept as authenticated, bypassing normal login and session validation.
The exploitation flow involves sending HTTP requests to the SmartZone management interface with manipulated headers and tokens. If the attacker knows the hardcoded secrets, they can generate valid JWTs or present the API key in a way that the backend accepts as an authenticated admin session. This grants full administrative access to the SmartZone platform, including configuration changes, credential access, and potentially lateral movement into other network segments.
No public code snippets or exploit scripts have been released, but the vulnerability is confirmed by multiple advisories and security research disclosures. The attack requires network access to the management interface and knowledge of a valid API key, which could be obtained through other means or from leaked documentation.
Affected Systems and Versions
The following Ruckus products and versions are affected:
- SmartZone and Virtual SmartZone (vSZ) controllers prior to 6.1.2p3 Refresh Build
- SmartZone 5.2.1.x (fixed in 5.2.1.3.1695 or with SecurityFix_5_2_1_3_1695-15389-v1_866985.ksp)
- SmartZone 5.2.2.x (fixed in 5.2.2.0.1563 or with SecurityFix_5_2_2_0_1563-15389-v1_866974.ksp)
- SmartZone 6.x (fixed in 6.1.2.0.487 or with SecurityFix_6_1_2_487-15389-v1_0c5006774d7.ksp)
- SmartZone 7.x (fixed in 7.1.0.0.586 or with SecurityFix_7_1_0_0_586-15389-v1_1141f30a5b6.ksp)
Both physical and virtual appliances are affected. The vulnerability is present in default configurations.
Vendor Security History
Ruckus Networks has previously faced advisories for hardcoded credentials and authentication issues in their management products. The vendor's response to CVE-2025-44957 was initially delayed, with researchers and CERT/CC reporting communication difficulties. Eventually, CommScope released coordinated advisories and patches. The vendor maintains a security bulletin portal and has provided both immediate KSP patches and full version upgrades for remediation.