CVE-2020-6760

Vulnerability

The Schmid ZI 620 V400 VPN 090 router (firmware version V400) contains a command injection vulnerability in the SSH subcommand menu. After authenticating via SSH, the user is presented with a restricted shell offering network utilities such as ping. While the web interface sanitizes input, the SSH restricted shell does not. An attacker can inject arbitrary OS commands by appending shell metacharacters (e.g., ;) to the selected subcommand. The vulnerability is present in the ZI 620 V400 VPN 090 model; other versions may also be affected [1].

Exploitation

An attacker must have network access to the router's SSH service (default port 22) and valid credentials. The default credentials are root:root [1]. After logging in, the attacker selects a subcommand (e.g., ping) and appends a semicolon followed by the desired OS command. The restricted shell executes the entire string as a root shell command, bypassing the intended menu restrictions [1].

Impact

Successful exploitation grants the attacker root-level command execution on the router. This allows full compromise of the device, including data exfiltration, installation of backdoors, or using the router as a pivot point into the internal network [1].

Mitigation

As of the disclosure timeline (vendor notified in October 2019 and January 2020 with no response), no official patch has been released [1]. Mitigations include changing the default SSH credentials, disabling SSH access if not required, and restricting network access to the router's management interface. The device is not listed in CISA's Known Exploited Vulnerabilities catalog.