{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97442?format=json","vulnerability_id":"VCID-q3d9-7bhh-tqac","summary":"An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller.","aliases":[{"alias":"CVE-2025-46121"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46121","reference_id":"","reference_type":"","scores":[{"value":"0.03587","scoring_system":"epss","scoring_elements":"0.88069","published_at":"2026-06-14T12:55:00Z"},{"value":"0.03587","scoring_system":"epss","scoring_elements":"0.88024","published_at":"2026-06-11T12:55:00Z"},{"value":"0.03587","scoring_system":"epss","scoring_elements":"0.88065","published_at":"2026-06-12T12:55:00Z"},{"value":"0.03587","scoring_system":"epss","scoring_elements":"0.88071","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46121"},{"reference_url":"https://sector7.computest.nl/post/2025-07-ruckus-unleashed/","reference_id":"2025-07-ruckus-unleashed","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-07-28T19:42:03Z/"}],"url":"https://sector7.computest.nl/post/2025-07-ruckus-unleashed/"},{"reference_url":"https://support.ruckuswireless.com/security_bulletins/330","reference_id":"330","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-07-28T19:42:03Z/"}],"url":"https://support.ruckuswireless.com/security_bulletins/330"}],"weaknesses":[],"exploits":[],"severity_range_score":"9.8 - 9.8","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q3d9-7bhh-tqac"}