CVE-2020-15317

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 ship with a hardcoded RSA SSH key for the root account, stored within the /opt/axess chroot directory tree [1]. This key is used for SSH server authentication and is identical across all installations, eliminating the cryptographic guarantee of server identity.

Exploitation

An attacker with network access to the SecuManager appliance can perform a man-in-the-middle (MITM) attack during SSH session establishment. Because the SSH server key is well-known and static, the attacker can impersonate the legitimate server or decrypt captured SSH traffic, provided they can intercept the initial key exchange [1]. No authentication or prior access to the device is required; the attacker only needs to be positioned on the network path between the client and the SecuManager.

Impact

Successful exploitation allows the attacker to decrypt all SSH-encrypted communication sessions with the appliance. This can lead to disclosure of sensitive management data, including login credentials, device configurations, and other privileged information transmitted over SSH. The root-level access afforded by the compromised SSH channel further amplifies the potential for full compromise of the SecuManager and managed devices [1].

Mitigation

As of the publication date (2020-06-29), no official patch or updated version had been released by Zyxel for CVE-2020-15317 [1]. The affected versions (3.1.0 and 3.1.1) are the latest at the time of disclosure, and no workaround is provided. Users are advised to restrict network access to the SecuManager and monitor for vendor advisories for a future fix.