CVE-2019-19836
Description
AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote code execution via a POST request that uses tools/_rcmdstat.jsp to write to a specified filename.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing authentication check in `AjaxRestrictedCmdStat` of Ruckus Unleashed firmware allows unauthenticated remote attackers to achieve code execution by writing arbitrary files via a crafted POST request.
Vulnerability
The vulnerability resides in the AjaxRestrictedCmdStat servlet within the zap component of Ruckus Wireless Unleashed firmware. The affected code path is reachable through _rcmdstat.jsp, which lacks proper authentication validation. By sending a crafted POST request to tools/_rcmdstat.jsp, an attacker can write arbitrary content to a specified filename on the device. The issue affects firmware version 200.7.10.102.64 and earlier on all examined indoor and outdoor Ruckus AP models, including R510, R710, T301n, and others [1].
Exploitation
An attacker can exploit this vulnerability without any prior authentication; no session or login is required [1]. The only requirement is network access to the vulnerable device's web management interface. The attack consists of sending a single HTTP POST request to /tools/_rcmdstat.jsp with parameters that specify the filename and content to be written. Because the servlet does not enforce access controls, the request is processed, leading to file creation or overwrite on the filesystem [1].
Impact
Successful exploitation allows an attacker to write arbitrary files to the device, which can be leveraged to achieve remote code execution (RCE). By writing a malicious script to the web root or overwriting a legitimate executable, an attacker can execute arbitrary commands with root privileges [1]. The CIAA impact is total: full control over the device, including the ability to exfiltrate data, pivot to other network hosts, or disrupt operations.
Mitigation
Ruckus released security advisory 299 to address this vulnerability [2]. Users should upgrade their firmware to a patched version that enforces proper authentication on _rcmdstat.jsp. For the affected models, the fixed release is indicated in the advisory. No workaround is available for unpatched devices. The vulnerability has not been added to the CISA KEV catalog as of publication.
[1]: Reference [1] – alephsecurity blog, including the description of the vulnerability and exploitation details. [2]: Reference [2] – Ruckus security advisory.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Ruckus Wireless/Unleasheddescription
- Range: <=200.7.10.102.64
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- alephsecurity.com/2020/01/14/ruckus-wirelessmitrex_refsource_MISC
- fahrplan.events.ccc.de/congress/2019/Fahrplan/events/10816.htmlmitrex_refsource_MISC
- www.ruckuswireless.com/security/299/view/txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.