cbcvebase.
CVE-2015-0936
published 2017-06-01

CVE-2015-0936: Ceragon FibeAir IP-10 have a default SSH public key in the authorized_keys file for the mateidu user, which allows remote attackers to obtain SSH access by…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
78.09%
99.5th percentile
Ceragon FibeAir IP-10 have a default SSH public key in the authorized_keys file for the mateidu user, which allows remote attackers to obtain SSH access by leveraging knowledge of the private key.

Detection & IOCsextracted from sources · hover to see the quote

other-----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+ IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3 CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv 4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6 B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV 93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll 7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg== -----END RSA PRIVATE KEY-----
pathauthorized_keys
  • Detect SSH authentication attempts to Ceragon FibeAir IP-10 devices using the 'mateidu' username — any successful login with this account using publickey auth should be treated as exploitation of CVE-2015-0936.
  • The exploit authenticates exclusively via SSH public key (no password). Alert on publickey-method SSH logins for the 'mateidu' user on port 22.
  • Post-authentication, the exploit immediately spawns /bin/sh over the SSH channel. Monitor for interactive shell sessions spawned directly from SSH daemon processes under the mateidu account.
  • The hardcoded RSA private key (MIICWwIBAAKBgQDBEh0OUdoiplc0P+...) is embedded in the Metasploit module and public exploits. Fingerprint the public key counterpart in authorized_keys files on SSH servers to identify vulnerable or compromised Ceragon devices.
  • ·The default SSH_TIMEOUT for the Metasploit exploit module is 30 seconds; network-level detection rules should account for slow or delayed SSH negotiation that may still represent exploitation attempts.
  • ·The exploit supports proxy chaining (datastore['Proxies']), meaning the true attacker source IP may be obscured. IP-based blocking alone is insufficient.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.