CVE-2019-19839

Vulnerability

An OS command injection vulnerability exists in the emfd component of Ruckus Wireless Unleashed firmware through version 200.7.10.102.64. The flaw is triggered via a POST request to admin/_cmdstat.jsp with the attribute xcmd=import-category and a crafted uploadFile attribute. No authentication is required to reach this endpoint, and the vulnerability affects a wide range of indoor and outdoor access points, including models C110, E510, H320, H510, M510, R310, R500, R510, R600, R610, R710, R720, T300, T301n, T310d, T610, T710, and T710s [1][3].

Exploitation

An attacker with network access to the vulnerable device can send a POST request to admin/_cmdstat.jsp setting xcmd=import-category and including arbitrary OS commands in the uploadFile parameter. No prior authentication or user interaction is needed. The request is processed by the emfd service, which directly passes the input to a shell command, executing the attacker-supplied payload [1].

Impact

Successful exploitation yields remote code execution with root privileges on the affected device. This allows the attacker to fully compromise the access point, execute arbitrary commands, modify firmware, exfiltrate data, or pivot to other network segments [1][3].

Mitigation

Ruckus has released a security advisory for this issue, but the reference provided [2] does not contain specific patch details or version information. Users should upgrade to firmware versions beyond 200.7.10.102.64 as soon as a fixed release becomes available. If no patch is yet installed, restrict network access to the administrative web interface and monitor for unauthorized POST requests to admin/_cmdstat.jsp [1][2].