CVE-2023-40236 identifies a security vulnerability in the Pexip VMR self-service portal versions prior to version 3. The core issue is that the same SSH host key is reused across different customer installations. SSH host keys are cryptographic keys used to uniquely identify a server during SSH connections, ensuring that clients can verify they are connecting to the legitimate server and not an imposter. By sharing the same host key across multiple deployments, an attacker who gains access to one instance's key can impersonate other installations, effectively bypassing authentication mechanisms. This vulnerability falls under CWE-798, which relates to the use of hard-coded or shared credentials. The CVSS 3.1 base score is 5.3 (medium severity), with vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating that the vulnerability is remotely exploitable over the network without privileges, requires high attack complexity and user interaction, and impacts the integrity of the system but not confidentiality or availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk because it undermines the trust model of SSH authentication, potentially allowing attackers to perform man-in-the-middle attacks or unauthorized access to other customers' portals by leveraging the shared host key. The lack of unique host keys per installation is a fundamental security misconfiguration that can lead to authentication bypass and compromise of the integrity of communications and operations within the affected Pexip VMR self-service portals.

For European organizations using Pexip VMR self-service portals, this vulnerability could lead to unauthorized access to video meeting resources and administrative functions, potentially allowing attackers to manipulate meeting configurations, inject malicious content, or disrupt services. The integrity of communications could be compromised, leading to trust issues and potential leakage of sensitive operational details through manipulated meeting environments. Since Pexip is widely used for video conferencing and collaboration, especially in sectors like government, healthcare, and finance, exploitation could disrupt critical communications and damage organizational reputation. The medium CVSS score reflects the need for user interaction and high attack complexity, which may limit widespread exploitation but does not eliminate targeted attacks. Given the increasing reliance on remote collaboration tools in Europe, this vulnerability could be leveraged in targeted espionage or sabotage campaigns, especially against organizations with high-value communications. The reuse of SSH host keys also increases the risk of lateral movement between different customer environments if an attacker compromises one installation. This can have cascading effects on confidentiality and operational integrity across multiple organizations.

Organizations should immediately verify whether their Pexip VMR self-service portals are running versions prior to 3 and assess if the same SSH host key is in use across multiple installations. Since no patch links are currently provided, a practical mitigation is to manually generate unique SSH host keys for each installation and replace the default or shared keys. This involves regenerating the SSH host key pairs on the server and distributing the updated public keys to clients to re-establish trust. Additionally, organizations should enforce strict SSH key management policies, including regular key rotation and monitoring for unauthorized key usage. Network segmentation can limit the impact of a compromised installation by isolating it from other critical systems. Monitoring SSH connection logs for unusual authentication attempts or host key mismatches can help detect exploitation attempts. Finally, organizations should engage with Pexip support to obtain official patches or updates and stay informed about any forthcoming security advisories. User training to recognize suspicious SSH warnings and connection anomalies can also reduce the risk of successful attacks requiring user interaction.