CVE-2025-46121 is a critical remote code execution vulnerability found in CommScope Ruckus Unleashed wireless controllers prior to versions 200.15.6.212.14 and 200.17.7.0.139. The flaw arises from improper handling of client hostnames in the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot`. These functions pass the client hostname directly as the format string argument to the C function snprintf, which is unsafe when the input contains format specifiers. An attacker can exploit this by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp` or, more critically, without authentication and without direct network access to the controller by spoofing the MAC address of a favorite station and embedding malicious format specifiers in the DHCP hostname field. This leads to unauthenticated format string processing, enabling arbitrary code execution on the controller. The vulnerability is classified under CWE-134 (Use of Externally-Controlled Format String) and has a CVSS v3.1 base score of 9.8, indicating critical severity. The attack vector is network-based with no privileges or user interaction required, and it impacts confidentiality, integrity, and availability fully. No known exploits are currently reported in the wild, but the ease of exploitation and severity make this a high-risk threat. The vulnerability affects wireless controllers that are often deployed in enterprise and public Wi-Fi environments, making it a significant risk for network infrastructure security.

For European organizations, this vulnerability poses a severe risk to network infrastructure security. Compromised Ruckus Unleashed controllers could allow attackers to execute arbitrary code remotely without authentication, potentially leading to full system compromise. This can result in unauthorized access to sensitive network traffic, disruption of wireless services, lateral movement within corporate networks, and deployment of further malware or ransomware. Critical sectors such as finance, healthcare, government, and telecommunications that rely on Ruckus wireless infrastructure could face data breaches, operational downtime, and regulatory penalties under GDPR due to compromised confidentiality and availability. The unauthenticated nature of the exploit increases the attack surface, especially in environments where wireless controllers are exposed or accessible via DHCP. The ability to spoof MAC addresses and inject malicious hostnames remotely further exacerbates the risk, making detection and prevention more challenging.

1. Immediate upgrade of all affected Ruckus Unleashed controllers to versions 200.15.6.212.14 or 200.17.7.0.139 or later, as these versions contain patches addressing this vulnerability. 2. Implement network segmentation to isolate wireless controllers from untrusted networks and restrict access to management interfaces strictly to authorized personnel and systems. 3. Deploy DHCP snooping and MAC address filtering to prevent unauthorized devices from spoofing MAC addresses and injecting malicious hostnames. 4. Monitor network traffic for anomalous DHCP requests and suspicious hostname patterns that may indicate exploitation attempts. 5. Apply strict input validation and sanitization on all client-supplied data fields, especially hostnames, to prevent format string injection. 6. Use intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts targeting this vulnerability. 7. Conduct regular security audits and penetration testing focused on wireless infrastructure to identify and remediate similar vulnerabilities proactively. 8. Maintain an incident response plan that includes procedures for isolating and recovering compromised wireless controllers.