CVE-2025-57602
Published: 22 September 2025
Summary
CVE-2025-57602 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 27.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-2 (Account Management).
Deeper analysis
CVE-2025-57602, published on 2025-09-22, affects the AiKaan IoT management platform due to insufficient hardening of the proxyuser account combined with the use of a shared, hardcoded SSH private key. This flaw resides in the cloud controller component, enabling unauthorized access. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-798 (Use of Hard-coded Credentials).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. They can authenticate to the cloud controller using the hardcoded SSH private key, obtain interactive shell access, and pivot to other connected IoT devices within customer environments. Successful exploitation leads to remote code execution, information disclosure, and privilege escalation across affected systems.
References for this CVE include documentation in the GitHub repository at https://github.com/Shubhangborkar/aikaan-vulnerabilities/blob/main/cve2-proxyuser-shell.md, which details the proxyuser shell access mechanism. No specific patches or mitigation steps are outlined in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30807
Vulnerability details
Insufficient hardening of the proxyuser account in the AiKaan IoT management platform, combined with the use of a shared, hardcoded SSH private key, allows remote attackers to authenticate to the cloud controller, gain interactive shell access, and pivot into other…
more
connected IoT devices. This can lead to remote code execution, information disclosure, and privilege escalation across customer environments.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 directly prohibits the use of hard-coded authenticators like the shared SSH private key for the proxyuser account, preventing remote authentication exploits.
AC-2 requires proper management, monitoring, and disabling of accounts such as the insufficiently hardened proxyuser, blocking unauthorized access and pivoting.
AC-17 enforces usage restrictions, authorization, protection, and monitoring of remote access sessions like SSH to the cloud controller, mitigating exploitation.