CVE-2019-19838

Vulnerability

The emfd component in Ruckus Wireless Unleashed firmware versions up to and including 200.7.10.102.64 contains a command injection vulnerability. A remote attacker can send a POST request to /admin/_cmdstat.jsp with the attribute xcmd=get-platform-depends and an arbitrary payload in the uploadFile parameter. No authentication is required; the endpoint is exposed on the administrative web interface of access points running the affected firmware. [1][2]

Exploitation

An attacker with network access to the target device's management interface (typically TCP port 80 or 443) sends a crafted HTTP POST request to admin/_cmdstat.jsp. The request includes xcmd=get-platform-depends and the malicious OS command embedded in the uploadFile parameter. The device's emfd process executes the command without sanitization, resulting in pre-authentication remote command execution. [1][3]

Impact

Successful exploitation grants the attacker arbitrary OS command execution with the privileges of the emfd process (typically root on the embedded Linux system). This allows full compromise of the access point, including data exfiltration, installation of persistent backdoors, lateral movement within the network, and potential disruption of service. [1][3]

Mitigation

Ruckus has not released an official patch or advisory at the time of writing. Users are advised to restrict network access to the administrative web interface, disable remote management where not required, and monitor for unauthorized access attempts. Devices running firmware version 200.7.10.102.64 or earlier are affected; updating to a later, patched version is recommended once available. [1][2]