A high-severity vulnerability exists in multiple Keysight Ixia Vision products due to the use of a hardcoded, default security certificate. This weakness could allow an attacker to intercept and decrypt sensitive network traffic, such as user credentials and API data, if the default certificate has not been replaced. Successful exploitation could lead to unauthorized device access and a compromise of data confidentiality and integrity.

This vulnerability, known as the "Use of Hard-coded Cryptographic Key" (CWE-321), stems from Keysight Ixia Vision devices being shipped with a default, static TLS certificate and its corresponding private key. Because this cryptographic key is identical across all devices, an attacker who extracts the key from one device or firmware image can impersonate any other vulnerable device. An attacker in a position to intercept network traffic (e.g., a Man-in-the-Middle attack) can use this key to decrypt communications to the device's management interface, exposing sensitive information like user authentication credentials and API payloads in cleartext.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to the complete compromise of the affected network visibility device. The primary business impacts include the loss of confidentiality of sensitive network and administrative data, potential for unauthorized configuration changes, and loss of integrity of the monitoring infrastructure. An attacker could gain administrative access, pivot to other network segments, or disable security monitoring, directly impacting the organization's security posture and operational capabilities.

Immediate Action: Apply vendor security updates immediately. The most critical step is to replace the default TLS certificate that shipped with the device with a unique, trusted certificate (e.g., one issued by an internal Certificate Authority or a trusted public CA). After patching, review access logs for any signs of unauthorized or anomalous activity that may have occurred prior to remediation.

Proactive Monitoring: Monitor network traffic for signs of Man-in-the-Middle (MitM) attacks or unexpected certificate errors related to the affected devices. Review device and authentication logs for unusual login patterns, such as repeated failed attempts or successful logins from untrusted IP addresses. Monitor for any unauthorized API calls or configuration changes on the Ixia Vision appliances.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Restrict network access to the device's management interface to a dedicated and secured management VLAN or subnet.
• Use a firewall to limit access to the device's management ports from only authorized administrative workstations.
• Manually replace the default TLS certificate, even before a patch is applied, to immediately mitigate the primary attack vector.

Public Exploit Available: false

This vulnerability presents a significant risk and requires immediate attention. We strongly recommend that all system owners identify affected Keysight Ixia Vision devices and prioritize the deployment of vendor-supplied patches and the replacement of default TLS certificates. Although this vulnerability is not currently on the CISA KEV list, its high CVSS score and the simplicity of exploitation post-key-discovery warrant treating it with urgency. Proactive implementation of the remediation and monitoring controls outlined above is critical to prevent potential compromise.