CVE-2020-15312

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 contain a hardcoded DSA SSH key for the root account, which is used for SSH server authentication on the main host and within chroot environments [1]. The key is embedded in the appliance's filesystem, and no per-device key generation occurs during initial setup.

Exploitation

An attacker who can intercept network traffic between a client and the SecuManager appliance can perform a man-in-the-middle attack. Because the private key is identical across all instances, the attacker can impersonate the server to any connecting SSH client, decrypting and potentially modifying the session. No prior authentication or special privileges are required beyond network proximity.

Impact

Successful exploitation allows the attacker to decrypt all SSH traffic, revealing credentials, configuration data, and other sensitive information transmitted over the management channel. The attacker could also inject malicious commands into the session, potentially gaining full control over the appliance [1].

Mitigation

As of the available references, Zyxel has not released a fixed version for the CloudCNM SecuManager. Users should restrict network access to the management interface to trusted hosts only, use VPNs or encrypted tunnels for remote access, and consider migrating to a supported alternative [1].