Advantech EKI Hard-coded SSH Keys Vulnerability

Monitor6.5ICS-CERT ICSA-15-309-01Aug 8, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Advantech EKI industrial gateways (EKI-136, EKI-132, and EKI-122-BE product lines) contain hard-coded SSH keys in their firmware. This allows an attacker with network access to log in via SSH without valid user credentials. The vulnerability affects firmware versions below 1.27, 1.98, and 1.65 for the respective product lines. Advantech has not released patches and does not plan to fix this issue in these end-of-life products.

What this means

What could happen

An attacker with network access to an Advantech EKI industrial gateway could use hard-coded SSH credentials to remotely log in and execute commands, potentially disrupting network communications between field devices and control systems.

Who's at risk

Water authorities and electric utilities using Advantech EKI industrial gateways (specifically EKI-136, EKI-132, and EKI-122-BE models) for remote network access to water treatment, wastewater, or power distribution SCADA systems. These gateways are commonly used to bridge field devices and RTUs to central control systems.

How it could be exploited

An attacker scans for Advantech EKI gateways on the network, discovers the SSH service (port 22), and logs in using hard-coded SSH keys embedded in the device firmware. Once authenticated, the attacker has command-line access to modify routing, intercept traffic, or disconnect field devices from supervisory control systems.

Prerequisites

Network access to TCP port 22 (SSH) on the affected EKI gateway
No additional credentials required; authentication relies on hard-coded SSH keys in firmware

Remotely exploitable via SSHNo authentication required beyond hard-coded keysLow attack complexityNo vendor fix available (end-of-life products)Affects network infrastructure in OT environments

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

EKI-136* product line firmware: <1.27<1.27No fix (EOL)

EKI-132* product line firmware: <1.98<1.98No fix (EOL)

EKI-122*-BE product line firmware: <1.65<1.65No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to SSH port 22 (TCP) on Advantech EKI gateways using firewall rules; allow only authorized engineering and management workstations.

HARDENINGConduct an inventory of all Advantech EKI devices in the network and document their firmware versions and network location.

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGPlace Advantech EKI gateways on a separate, segmented network or VLAN with strict inbound/outbound filtering.

HARDENINGMonitor SSH access logs on Advantech EKI gateways for unauthorized login attempts or successful authentication events.

WORKAROUNDDisable SSH on Advantech EKI gateways if not required for ongoing operations, or restrict it to a management network only.

CVEs (1)

CVE-2015-6476

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/305f742a-1bab-4c05-a663-dccad96ed6d1