Update now! Ruckus vulnerability added to CISA’s list of actively exploited bugs

Along with six older vulnerabilities, the Cybersecurity and Infrastructure Agency (CISA) has added a vulnerability in multiple Ruckus wireless products to the Known Exploited Vulnerabilities Catalog. This means that  Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by June 2, 2023.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Ruckus vulnerability is listed under CVE-2023-25717, which indicates that Ruckus Wireless Access Point software contains a vulnerability in its web services component. If the component is enabled on the access point, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability reportedly impacts Ruckus ZoneDirector, SmartZone, and Solo Aps with Ruckus Wireless Admin panels version 10.4 and older.

The Ruckus security bulletin about the vulnerability, issued on February 8, 2023 and edited on May 11, 2023, displays a long list of affected devices. Several of these devices have reached end-of-life (EoL) which means they may not get patched against this vulnerability. Users of supported devices can find download links and install instructions by following the links behind their specific product.

One malware operator that has been found to exploit vulnerable Ruckus devices is the relatively new botnet, AndoryuBot. Infected devices are used to propagate the botnet malware to other devices and are used in DDoS attacks. To avoid detection and to bypass firewalls, the botnet uses the SOCKS proxying protocol. SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. This protocol is often used because it allows traffic to bypass Internet filtering to access content which would otherwise be blocked, but it can also be used to circumvent blocklists and firewall rules.


To protect your devices against the AndoryuBot botnet which seems to thrive on this vulnerability, you should install the available patches and replace the legacy devices that have reached EoL.

Other measures to protect your devices from falling prey to botnets are:

  • Use strong passwords and multi-factor authentication where possible.
  • Do not make your admin panels accessible from the internet if you can avoid it. If you can’t completely disable remote access, use very strict access policies.
  • Segregate your network so critical components are separated from vulnerable assets.
  • Apply active protection software and monitor network traffic.

The Malwarebytes web protection module blocks the download of the botnet malware:

Malwarebytes blocks

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.