CVE-2025-57601

Name of the Vulnerable Software and Affected Versions AiKaan Cloud Controller (affected versions not specified)

Description The AiKaan Cloud Controller utilizes a single, hardcoded SSH private key and the username proxyuser for remote terminal access to all managed IoT/edge devices. When an administrator initiates a "Open Remote Terminal" action, the controller transmits this static private key to the target device. The device then establishes a reverse SSH tunnel to a remote access server, enabling browser-based SSH access. The reuse of the same proxyuser account and SSH key across all customer environments allows an attacker who obtains the key to impersonate any managed device and establish unauthorized reverse SSH tunnels. This represents a design flaw in the authentication model where compromise of a single key compromises the trust boundary between the controller and devices.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.