CVE-2020-15315

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 contain a hardcoded DSA SSH key for the root account located within the /opt/axess chroot directory tree [1]. This key is used as the SSH host key for connections inside the chroot environment. Because the key is static and identical across all installations, an attacker who obtains a copy of the key can impersonate the server or intercept communications within that context.

Exploitation

An attacker with network access to the chroot SSH service can perform a man-in-the-middle (MITM) attack [1]. The attacker does not need any authentication—the ability to intercept or redirect traffic between a client and the vulnerable SSH server is sufficient. By using the known hardcoded private key, the attacker can decrypt and modify the encrypted SSH session without detection. The attack is possible because the key is reused and not generated uniquely per device.

Impact

Successful exploitation allows the attacker to decrypt SSH traffic, capture credentials, and potentially inject malicious commands into the session [1]. This leads to disclosure of sensitive information and possible compromise of the affected system, depending on the privileges of the connecting user. Since the vulnerability resides within the chroot environment, the immediate impact is confined to that sandbox; however, further escalation may be possible if the attacker gains credentials for services outside the chroot.

Mitigation

As of the published references [1], no patch or fixed version has been announced. Users should restrict network access to the SSH service, monitor for unauthorized connections, and consider regenerating the SSH host keys within the chroot if possible. Until a fix is provided by Zyxel, the only workaround is to limit exposure by firewalling the affected service or decommissioning the vulnerable versions (3.1.0 and 3.1.1).