CVE-2020-26878

HIGH EXPLOITED IN THE WILD

Ruckus <1.5.1.0.21 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-26878 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including X-C3LL, htarsoo.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-26878, demonstrating a command injection vulnerability in the user creation endpoint of an unspecified service. The exploit uses a crafted JSON payload to execute arbitrary commands, including user creation and privilege escalation via sudoers modification.

Description

Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.

Exploits (3)

github WORKING POC 11 stars
by X-C3LL · pythonpoc
https://github.com/X-C3LL/PoC-CVEs/tree/master/CVE-2020-26878 & CVE-2020-26879

This repository contains a functional exploit for CVE-2020-26878, demonstrating a command injection vulnerability in the user creation endpoint of an unspecified service. The exploit uses a crafted JSON payload to execute arbitrary commands, including user creation and privilege escalation via sudoers modification.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Unspecified service (likely a web application with a user creation endpoint)
Auth required
Prerequisites: Access to the target endpoint · Valid authorization token
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by htarsoo · remote
https://github.com/htarsoo/CVE-2020-26878

This PoC exploits a command injection vulnerability in Ruckus IoT Controller (vRIoT) versions <= 1.5.1.0.21, leveraging broken authentication to achieve remote code execution via a crafted payload in the username field.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruckus IoT Controller (Ruckus vRIoT) <= 1.5.1.0.21
No auth needed
Prerequisites: Network access to the target · Python 3 environment · Listener setup for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote-auth
https://github.com/beyefendi/exploit

This repository contains a functional exploit for CVE-2020-26878, targeting Ruckus IoT Controller (Ruckus vRIoT) versions <= 1.5.1.0.21. The exploit leverages command injection and broken authentication to achieve remote code execution (RCE) as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ruckus IoT Controller (Ruckus vRIoT) <= 1.5.1.0.21
No auth needed
Prerequisites: Target IP and port · Attacker IP and port for reverse shell · Netcat listener on attacker machine
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory x_refsource_misc
https://twitter.com/TheXC3LL
Third Party Advisory x_refsource_misc
https://x-c3ll.github.io
Vendor Advisory x_refsource_misc
https://support.ruckuswireless.com/documents
Product, Vendor Advisory x_refsource_confirm
https://support.ruckuswireless.com/security_bulletins/305
Exploit, Third Party Advisory x_refsource_misc
https://adepts.of0x.cc/ruckus-vriot-rce/
Third Party Advisory x_refsource_misc
https://adepts.of0x.cc

Scores

CVSS v3 8.8
EPSS 0.6297
EPSS Percentile 98.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-06-28
InTheWild.io 2022-07-06
CWE
CWE-78
Status published
Products (1)
commscope/ruckus_vriot < 1.5.1.0.21
Published Oct 26, 2020
Tracked Since Feb 18, 2026