CVE-2021-40520

Vulnerability

Airangel HSMX Gateway devices running firmware versions through 5.2.04 ship with default or weak SSH credentials that cannot be changed through the administrative interface [1]. The SSH service is enabled by default and exposes a command-line interface to the underlying operating system.

Exploitation

An attacker with network access to the management interface (typically port 22/TCP) can attempt to authenticate using known default credentials or perform a brute-force attack. No prior authentication or user interaction is required. The weak credential policy makes it feasible to guess or enumerate valid login pairs.

Impact

Successful authentication via SSH grants the attacker a root shell on the device, resulting in full system compromise. An attacker can read sensitive configuration files, modify device settings, intercept or redirect network traffic, and use the gateway as a pivot point into the internal network.

Mitigation

Airangel has not released a firmware update that addresses this weakness as of the publication date [1]. Users should restrict SSH access to trusted IP addresses via firewall rules, use strong unique passwords if the device allows credential changes, and monitor device logs for unauthorized SSH attempts. If possible, disable SSH on the gateway when not required.