CVE-2020-15318

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 contain a hardcoded DSA SSH key for the root account, located within the /opt/mysql chroot directory tree. The appliance uses this fixed key by default, and it is not regenerated during installation [1].

Exploitation

An attacker positioned on the network can perform a man-in-the-middle (MITM) attack against SSH connections to the affected appliance. Because the private key is known and static, the attacker can impersonate the server or decrypt captured SSH traffic without authentication or user interaction beyond the normal SSH handshake [1].

Impact

Successful exploitation results in loss of confidentiality and integrity of SSH-protected communications. The attacker can intercept credentials, configuration data, or other sensitive information transmitted over SSH sessions, and can inject or modify traffic as part of the MITM attack [1].

Mitigation

Zyxel has not released a patch as of the advisory date. The affected product is end-of-life (EOL). The only recommended mitigation is to decommission and replace the appliance with a supported alternative, or to isolate it from untrusted networks [1].