CVE-2020-15313

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 ship with a hardcoded ECDSA SSH private key for the root account. This key is identical across all default installations and is stored on the filesystem, allowing anyone with access to the appliance to obtain it [1]. The key is used for SSH server authentication, and no configuration option exists to regenerate or replace it during initial setup.

Exploitation

An attacker who obtains a copy of the hardcoded SSH key can perform a man-in-the-middle (MitM) attack against any SSH session initiated to the SecuManager appliance. No prior authentication is required to capture the key because it is embedded in the shipped software; the attacker must simply gain read access to the appliance's filesystem (e.g., via another vulnerability, physical access, or a compromised host on the same network) [1]. Once the key is known, the attacker can impersonate the legitimate appliance to any client connecting via SSH and decrypt the encrypted traffic.

Impact

Successful exploitation leads to a complete loss of confidentiality and integrity for SSH communications. An attacker with the hardcoded key can eavesdrop on administrative sessions, capture credentials, and inject forged commands into the SSH stream, potentially gaining full control of the appliance [1]. Because the appliance runs multiple daemons as root and is often exposed to the WAN without a firewall, the impact is amplified.

Mitigation

As of the publication date (2020-06-29), Zyxel has not released a fix for CVE-2020-15313 [1]. Users should treat the software as untrusted and replace the hardcoded SSH key manually by regenerating host keys and updating the authorized keys file. Additionally, restricting network access to the appliance only from trusted management hosts and using VPN tunnels for administration reduces the MitM risk. The appliance is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.