CISA known for its positive impact in the cybersecurity industry has warned about remote code execution on ruckus wireless devices.

Few months ago, CISA released patches on exploit found in ESXI servers and in last month they released a defense tool known as the Untitled goose tool, and that is one of the numerous of their vast contribution in the cybersecurity industry.

The company reported a CVE-2023-25717 that has CSRF and RCE which is vulnerable to multiple Ruckus wireless products.

As reported, the vulnerability affects all ruckus wireless devices, which enables a threat actor to execute malicious codes remotely and gain access to wireless devices that are still exposed to such vulnerabilities.

According to FortiGuard Labs, it is noticed a botnet using the socks protocol being distributed through the Ruckus vulnerable devices. The botnet was discovered to be AndoryuBot, which was first reported in February, 2023.

It has the capability of causing a DDOS (Distributed-Denial-of-Service) using different protocols while communicating with a C2-server (Command-and-Control Server) via the SOCK5 proxies. IP signatures discovered, shows the trigger counts (the botnet distribution and version between mid-April).

The malware exploits the weakness found in the Ruckus Wi-Fi devices.


IPS (Intrusion Prevention System) Signatures

Image source: Fortinet


The Mode of infection of the AndoryuBot occurs by threat actors targeting the Ruckus wifi vulnerability to gain access to the device. The botnet, then further downloads a script to further propagate.

According to Fortinet:

"The AndoryuBot Variant in their analysis shows that the targets occur in certain architectures: arm, m68k, mips, mpsl, sh4, spc, and x86. The file was saved under the name “Andoryu”, and that is how the campaign name was derived."

The script downloads using the file-extension curl. Although the script has “. ppc” in the script, instead of a valid file execution, the link contains the string “invalid file bixxh axx boi”

The Andoryu downloading script

Image source: Fortinet

The botnet is spread via unauthenticated HTTP GET request as shown in the code below, which then returns the admin information such as the username, password, and IP address upon successful compromise, the device is added to a zombie that is designed to launch a DDOS attack.

The Andoryu downloading script

Image source:

The threat actors in order to secure their presence receive payments to use their botnet services via cashApp and cryptocurrencies such as bitcoin

The Andoryu downloading script

Image source: Fortinet

The admin panel is accessed through RCE (Remote Code Execution) via an unauthenticated HTTP GET request.  

The Ruckus wireless Admin Panel

Image source:

The proof of concept on the mode of attack, was reported by Ken Pyle, a CYBIR partner, in which he disclosed various strategy that the threat actor uses to exploit the vulnerable Wi-Fi device.


The CVSS version 3.X , shows the vulnerability has a Base Score :9.8 which is a highly critical vulnerability. The attack vector metric is:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, this explained in the image below: 

Severity score breakdown and analysis

Image source:


CISA issuing BOD 22-01 to Federal Civilian Executive Branch (FCEB) agency to provide a security update on the identified vulnerability by due date in order to prevent FCEB networks from active threats. Information about the BOD 22-01 applies to only FCEB agencies


According to Fortinet protection, the malware can be detected and blocked from access by using FortiGuard Antivirus. The malware signature is detected as: ELF/Andoryu.CBN! tr

The antivirus service is said to be supported by FortiGate, FortiMail, FortiClient, and FortiEDR, which Fortinet Antivirus engine is a part of the various solutions. They further said users of the antivirus software should run current Antivirus updates to stay protected.

They further released IPS (Intrusion Prevention System) signatures to take-charge in protecting their customers from the threat contained in the exploit list.




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
0 0 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Jonathan Kennedy

Error stating Ken Pyle from CommScope, he is a Partner at CYBIR.