CVE-2020-15340

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 contain a hardcoded SSH private key located at opt/axess/AXAssets/default_axess/axess/TR69/Handlers/turbolink/sshkeys/id_rsa [1]. The key is embedded in the software package and is identical across all installations, allowing any attacker who obtains it to impersonate the server or decrypt SSH traffic.

Exploitation

An attacker with network access to the SSH service of the SecuManager can use the publicly disclosed private key to impersonate the server or perform a man-in-the-middle (MITM) attack against SSH sessions. The key is hardcoded and the same for every deployment, so no per-instance secrets are involved [1]. The attacker does not need prior authentication or local access.

Impact

A successful attack allows decryption of SSH traffic, enabling the attacker to intercept credentials and other sensitive data transmitted over supposedly encrypted SSH connections. The attacker can also impersonate the appliance, potentially leading to further compromise of managed devices or the management network. The impact is a breach of confidentiality and integrity for SSH communications.

Mitigation

As of the available references, no official patch or updated version has been announced for this specific CVE. The only known workaround is to replace the hardcoded SSH key manually on each affected appliance after deployment, though this may not be supported by the vendor. Users are advised to monitor Zyxel’s security advisories for future updates and consider limiting network exposure of the SecuManager until a fix is available [1].