Critical Ruckus Bug Used to Exploit Wi-Fi Access Points


Cybersecurity researchers have identified a cyber threat that exploits a critical vulnerability in the Ruckus Wireless Admin panel (CVE-2023-25717). This vulnerability enables attackers to gain unauthorized access to devices, remotely execute malicious code and carry out orchestrated DDoS attacks, among other malicious activities.

Unpatched vulnerable access points are the primary targets that serve as entry points for attackers.

Affected end-of-life Ruckus models do not have options to patch, leaving them particularly exposed to potential attacks. As a result, owners of end-of-life models are at higher risk of being targeted. CVE-2023-25717 was addressed with a patch for current models in early February.

CVE-2023-25717 Ruckus Wireless Admin panel vulnerability is being actively exploited.

Acreto Solution

Acreto can help secure Wi-Fi access points (APs) on end-of-life models by implementing the following measures:

  • Ecosystem Isolation: Acreto’s Ecosystems allow for the isolation of individual or groups of systems, including Wi-Fi APs, on a shared network. This isolation ensures that access to the APs is limited only to authorized devices within the Ecosystem, preventing unauthorized access from external entities.
  • Access Control: Acreto enables granular access control over network protocols, ports, and application protocols for communication with Wi-Fi APs. By defining strict access policies, organizations can ensure that only authorized devices and systems can communicate with the APs, reducing the risk of unauthorized access or tampering.
  • Threat Prevention: Acreto’s threat prevention capabilities, including threat signature identification and behavioral analysis, help detect and mitigate known and unknown threats targeting Wi-Fi APs. By continuously monitoring for malicious activities and abnormal behaviors, Acreto blocks malicious attempts, such as unauthorized access attempts or exploitation of vulnerabilities in the APs.
  • Micro-Segmentation: Acreto’s micro-segmentation capabilities allow for the segmentation of Wi-Fi APs into separate security domains. This ensures that even if one AP is compromised, the impact is limited to that specific segment, preventing lateral movement and minimizing the potential damage to the entire network.
  • Encrypted Secure Scan: Acreto’s Encrypted Secure Scan feature decrypts, scans, and re-encrypts communications in real-time. This allows for the inspection of encrypted traffic to and from Wi-Fi APs, ensuring that any malicious content embedded in the encrypted payload is detected and blocked.
  • Event Tracking & Management: Acreto provides event tracking and management capabilities, allowing organizations to monitor and analyze activities related to Wi-Fi APs. This includes detecting and responding to suspicious events, such as unauthorized access attempts or unusual traffic patterns.

By implementing these measures, Acreto helps enhance the security of Wi-Fi APs, protecting them from unauthorized access, exploitation, and other malicious activities.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Open → With inbound or outbound access from or to the Internet or a third-party

Closed → Fully contained with access limited to Ecosystem members

Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

  • Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
  • Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, while the clean and validated communication is delivered to its final destination.


Access Control

Identity with MFA

  • User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
  • Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

Network Protocol / Port

Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Protocol

Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.

Application Program

Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.


Content Category

Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.

File Type Upload / Download Controls

Control upload/download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.

Data Leak Prevention

Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:

  • Credit Cards Upload / Download Controls
  • Social Security Number Upload / Download Controls
  • RegEx Pattern Upload / Download Controls


Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Threat Signature

Identifies and mitigates known bad exploits, malware, botnets and ransomware.

Zero-Day Behavioral Analysis

Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.


Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.


Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanism of Attack

These technical details provide an overview of the CVE, its exploitation, the associated AndoryuBot malware, and the services provided by the botnet operators.

  • CVE-2023-25717: Ruckus Wireless Access Point (AP) Vulnerability CISA has identified an unspecified vulnerability in the web services component of Ruckus Wireless Access Point (AP) software. If the web services component is enabled, this vulnerability can be exploited for cross-site request forgery (CSRF) or remote code execution (RCE) attacks.For more details on CVEs, visit: CVE – CVE (
  • Exploitation: Attackers exploit the vulnerability by sending unauthenticated HTTP GET requests to vulnerable Wi-Fi access points (APs). These requests carry out the infection process, deploying the AndoryuBot malware onto the compromised devices.
  • AndoryuBot Malware: AndoryuBot malware is being used in the exploitation of the Ruckus Wireless Admin panel vulnerability. Once the malware infects a vulnerable Wi-Fi AP, it becomes part of a botnet, a network of compromised devices under the control of the attackers.
  • DDoS Attacks: The compromised devices in the botnet are used to launch Distributed Denial-of-Service (DDoS) attacks. The AndoryuBot malware supports 12 DDoS attack modes, including tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.
  • Botnet-as-a-Service: The operators of the AndoryuBot botnet offer their services to cybercriminals seeking to launch DDoS attacks. They allow others to rent the firepower of the botnet for their malicious activities.
  • Payment Methods: Payments for the botnet service are accepted through the CashApp mobile payment service or various cryptocurrencies, including XMR (Monero), BTC (Bitcoin), ETH (Ethereum), and USDT (Tether).


About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.

About The Author: Acreto Threat Labs

Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

    Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

      Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.

        Interested in seeing Acreto SASE+Plus in action? Let’s start with some basic information.