A critical vulnerability exists in the AiKaan Cloud Controller, which uses a single, hardcoded SSH private key and username for remote access to all managed devices. This allows an attacker who discovers the key to gain complete, unauthorized remote control over any IoT or edge device managed by the platform, leading to a full compromise of the device fleet.

The AiKaan Cloud Controller software contains a hardcoded SSH private key which is used in conjunction with the static username proxyuser to establish remote terminal sessions to all managed IoT and edge devices. This design flaw means that a single, static credential is used across all devices and all customer deployments. An attacker can extract this private key by reverse-engineering the controller software or an agent installed on a device. With this key and username, the attacker can bypass authentication and gain privileged shell access to any device managed by a vulnerable controller, provided they have network access to the device's SSH port.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of an organization's entire fleet of managed IoT/edge devices. Potential consequences include theft of sensitive data from devices, service disruption, deployment of malware or ransomware, and the use of compromised devices in botnets for DDoS attacks. If these devices control physical systems (e.g., in industrial or operational technology environments), exploitation could result in physical damage, safety incidents, and significant financial and reputational harm.

Immediate Action: Immediately update the AiKaan Cloud Controller to the latest version provided by the vendor, which replaces the hardcoded key with a secure, unique credential mechanism. After patching, monitor for any exploitation attempts and review access logs for any unauthorized connections using the proxyuser account that may have occurred prior to the update.

Proactive Monitoring: Monitor SSH access logs on all managed devices for connections using the username proxyuser. Investigate any connections originating from untrusted or unexpected IP addresses. Implement network monitoring to detect anomalous traffic patterns or outbound connections from IoT devices that could indicate a compromise.

Compensating Controls: If patching cannot be performed immediately, implement strict network segmentation to isolate the IoT/edge devices from the internet and other corporate networks. Use firewall rules to restrict all SSH access to the devices, allowing connections only from the known, trusted IP address of the management controller. If the feature is not essential, consider temporarily disabling the remote terminal access capability within the AiKaan Cloud Controller.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of a complete compromise of all managed devices, this vulnerability poses an immediate and severe threat. We strongly recommend that all organizations using the affected AiKaan Cloud Controller prioritize applying the vendor-supplied patch immediately. Although not yet on the CISA KEV list, the ease of exploitation makes it a highly attractive target for attackers. This issue should be treated as a critical priority for remediation to prevent widespread system compromise.