Home / Threat Intelligence bulletins / Critical RCE vulnerability exploited by new AndoryuBot malware

Target Industry

Indiscriminate, opportunistic targeting.


An emerging botnet malware variant, named ‘AndoryuBot’, has been detected to have exploited a critical security vulnerability in the Ruckus Wireless Administrator panel. The flaw, tracked as CVE-2023-25717 (CVSSv3 Score 9.8 – Critical), allows for wireless access points to be utilised for Distributed Denial-of-Service (DDoS) attacks.


Successful exploitation of CVE-2023-25717 allows for threat actors to perform Remote Code Execution (RCE) via unauthenticated HTTP GET requests. The objective of the established botnet is to then incorporate vulnerable devices to its DDoS cluster that is used for further targeting.

Affected Products

  • Ruckus Wireless Admin panels version 10.4 and prior

Containment, Mitigations & Remediations

It is strongly recommended that the relevant security patches are applied to the vulnerable product versions. These can be found within the related Ruckus advisory.

Further, it is advised that following mitigation steps are adhered to as a network hardening strategy against potential botnet attacks:
– Update IoT devices to the latest product versions
– Reconfigure the factory setting log-in keys, as well as the default username and password of IoT devices
– Implement network segmentation to ensure that all IoT devices are on a separate network from systems critical for daily operations
– Use and maintain anti-virus software
– Implement an official password policy.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Ruckus occupies a significant portion of the networking-hardware market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, it is possible that Ruckus products could emerge as prime targets. Since Ruckus products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

Although no attribution to specific threat actors or groups have been identified at the time of writing, it should be noted that AndoryuBot operators have been detected to have hired out their operations to cyber threat actors that have the objective of carrying out DDoS attacks.

Mitre Methodologies

Common Weakness Enumeration:
CWE-94 – Improper Control of Generation of Code (‘Code Injection’)

Further Information

Ruckus Advisory

Fortinet Report

Intelligence Terminology Yardstick