CVE-2025-57601 describes a critical authentication design flaw in the AiKaan Cloud Controller system used to manage IoT and edge devices. The vulnerability stems from the use of a single hardcoded SSH private key and a shared username 'proxyuser' across all managed devices and customer environments. When an administrator initiates remote terminal access via the AiKaan dashboard, the controller transmits this static private key to the target device, which then establishes a reverse SSH tunnel to a remote access server. This mechanism enables browser-based SSH access for administrators. However, because the same SSH key and username are reused universally, the compromise of this key by any means—such as interception during transmission, extraction from the remote access server, or compromise of an administrator account—allows an attacker to impersonate any managed device. This impersonation enables unauthorized establishment of reverse SSH tunnels and full interactive access to devices without owner consent. The fundamental issue is a broken trust boundary due to key reuse and static credentials, which violates best practices for cryptographic authentication and device identity management. The vulnerability affects all deployments of AiKaan Cloud Controller that use this authentication model, regardless of version, as no version-specific information is provided. No known exploits are currently reported in the wild, but the design flaw presents a high risk for future exploitation, especially in environments with many IoT/edge devices relying on this controller for remote management.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of IoT and edge device infrastructure. Compromise could lead to unauthorized access to critical operational technology, data exfiltration, manipulation of device behavior, or disruption of services dependent on these devices. Given the increasing adoption of IoT in sectors such as manufacturing, energy, transportation, and smart city infrastructure across Europe, attackers exploiting this flaw could cause operational downtime, safety hazards, and regulatory compliance violations (e.g., GDPR if personal data is involved). The ability to impersonate devices and establish reverse tunnels also facilitates lateral movement within networks, potentially escalating attacks to broader enterprise systems. The lack of unique credentials per device or customer environment amplifies the blast radius of a single key compromise, making containment and remediation more difficult. This is especially critical for European organizations with stringent cybersecurity and data protection requirements and those operating in critical infrastructure sectors.

Mitigation requires immediate architectural changes beyond simple patching. Organizations should: 1) Work with AiKaan to implement per-device or per-customer unique SSH keys and credentials, eliminating the use of a single hardcoded private key. 2) Enforce secure key distribution mechanisms that avoid transmitting private keys in plaintext or over insecure channels. 3) Implement multi-factor authentication and strict access controls for administrator accounts to reduce the risk of credential compromise. 4) Monitor network traffic for anomalous reverse SSH tunnel activity and unauthorized connections to the remote access server. 5) Conduct regular audits of key usage and access logs to detect potential misuse. 6) Where possible, isolate IoT/edge device management networks from general enterprise networks to limit lateral movement. 7) Employ network segmentation and zero-trust principles around IoT infrastructure. 8) If immediate fixes from the vendor are unavailable, consider disabling the remote terminal feature or replacing the AiKaan Cloud Controller with a more secure alternative until the vulnerability is addressed.