CVE-2020-15324

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 contain a world-readable configuration file at axess/opt/axXMPPHandler/config/xmpp_config.py that stores hardcoded credentials [1]. The file is readable by any user on the system, leaking credentials used for XMPP (Jabber) service authentication. This is one of multiple hardcoded credential issues in the product [1].

Exploitation

An attacker with local shell access (e.g., via a different vulnerability or authorized access) can simply read the file to obtain the credentials. No authentication or user interaction is required beyond local access to the filesystem. The attacker does not need network access to the XMPP service itself, as the credentials are stored in plaintext on disk [1].

Impact

Successful reading of the stored credentials allows the attacker to authenticate to the XMPP service as a privileged user, potentially enabling further lateral movement within the SecuManager system. The credentials may also be reused for other services if the same password is employed elsewhere [1]. The impact includes unauthorized access and potential escalation of privileges depending on the role of the XMPP account.

Mitigation

Zyxel has not released a fix for this specific CVE as of the publication date. Affected versions 3.1.0 and 3.1.1 remain vulnerable. Administrators should restrict local filesystem access to trusted users and monitor for unauthorized access. The product may be end-of-life; consult Zyxel support for upgrade options [1].