Cyber Posture

CVE-2025-67304

CriticalPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 32.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

In Ruckus Network Director (RND) < 4.5.0.54, the OVA appliance contains hardcoded credentials for the ruckus PostgreSQL database user. In the default configuration, the PostgreSQL service is accessible over the network on TCP port 5432. An attacker can use the…

more

hardcoded credentials to authenticate remotely, gaining superuser access to the database. This allows creation of administrative users for the web interface, extraction of password hashes, and execution of arbitrary OS commands.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 mandates proper management of authenticators, explicitly prohibiting hardcoded or default credentials like those for the ruckus PostgreSQL database user.

SC-7 Boundary Protection good match
prevent

SC-7 requires boundary protection to monitor and control communications, blocking remote network access to the exposed PostgreSQL service on TCP port 5432.

CM-7 Least Functionality good match
prevent

CM-7 enforces least functionality by prohibiting or restricting unnecessary ports, protocols, and services such as the default exposure of PostgreSQL on TCP 5432.

Security SummaryAI

CVE-2025-67304 is a critical vulnerability in Ruckus Network Director (RND) versions prior to 4.5.0.54, specifically affecting the OVA appliance deployment. It stems from hardcoded credentials (CWE-798) for the "ruckus" PostgreSQL database user. In the default configuration, the PostgreSQL service is exposed over the network on TCP port 5432, allowing remote authentication with these static credentials and granting superuser access to the database.

An unauthenticated attacker with network connectivity to the exposed PostgreSQL port can exploit this vulnerability with low complexity. Successful exploitation provides superuser privileges in the database, enabling the creation of administrative users in the RND web interface, extraction of password hashes, and execution of arbitrary operating system commands. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high impact on confidentiality, integrity, and availability.

Advisories recommend upgrading to RND version 4.5.0.54 or later to remediate the hardcoded credentials. Additional guidance on mitigation and exploitation details is provided in the Marlink Cyber advisory (MCSAID-2025-009) at https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-009-ruckus-nd-hardcoded-postgresql-credentials-rce.md and the CommScope security bulletin at https://webresources.commscope.com/download/assets/RUCKUS+Network+Director%3A+Critical+Security+Bypass+Vulnerability+Leading+to+Remote+Code+Execution+and/3adeb3acb69211f08a46b6532db37357.

Details

CWE(s)
CWE-798

Affected Products

commscope
ruckus network director
≤ 4.5.0.56

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1003 OS Credential Dumping Credential Access
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.
attack.mitre.org →
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
attack.mitre.org →
Why these techniques?

Hardcoded credentials enable default account abuse (T1078.001) and public-facing service exploitation (T1190); DB superuser access facilitates OS command execution (T1059.004), credential dumping (T1003), and local admin account creation (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References