CVE-2020-15322

Vulnerability

The vulnerability resides in Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1. The MySQL database contains a hardcoded password, wbboEZ4BN3ssxAfM, for the debian-sys-maint account [1]. This account is typically used for system maintenance tasks but because the password is identical across installations, it cannot be changed without external tooling, and there is no mechanism to disable it [1].

Exploitation

An attacker with network access to the SecuManager server can connect to the MySQL service (likely on the default port 3306) and authenticate as debian-sys-maint using the known password [1]. No other credentials or prior compromise are necessary. The attacker may then execute arbitrary SQL queries against the MySQL instance.

Impact

Successful authentication as debian-sys-maint grants full read and write access to the MySQL database underlying the SecuManager application. This could allow an attacker to extract sensitive configuration data, user credentials, or network topology information, and potentially modify database content to compromise the integrity of the management system [1].

Mitigation

As of the publication date (2020-06-29), Zyxel had not released a fixed version. Users are advised to restrict network access to the MySQL port (3306) to only trusted administrative hosts via firewall rules, and to monitor for any unauthorized database connections. The vendor has not announced an end-of-life status for this product in the available references [1].