CVE-2020-15316

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 (released November 14, 2018) contain a hardcoded ECDSA SSH key for the root account, stored within the /opt/axess chroot directory tree [1]. This key is used by the SSH server and is identical across all installations, meaning any attacker who obtains the key can impersonate the server or the client during SSH handshake.

Exploitation

An attacker with network access to the SSH service of a vulnerable Zyxel CloudCNM SecuManager can perform a man-in-the-middle (MITM) attack [1]. By placing themselves between the legitimate client and server, the attacker can present the known hardcoded host key to the client, intercept the encrypted session, and decrypt the SSH traffic. This requires no authentication or user interaction beyond the client accepting the unchanged host key fingerprint.

Impact

A successful MITM attack allows the attacker to capture all data transmitted over the SSH session, including login credentials, configuration commands, and other sensitive information [1]. The attacker may also inject malicious commands if the session is interactive or if automated scripts rely on the SSH connection. This compromises the confidentiality and integrity of the management traffic for the network management appliance.

Mitigation

Zyxel has not released a public patch for this specific vulnerability as of the publication date [1]. Administrators should restrict SSH access to trusted networks only, use VPN tunnels for remote management, and monitor for unauthorized SSH connections. The affected appliance also suffers from numerous other critical vulnerabilities, so isolating and replacing it is strongly recommended. No KEV listing exists for this CVE.