CVE-2020-15331

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 include a hardcoded OAUTH_SECRET_KEY stored in the file /opt/axess/etc/default/axess [1]. This secret key is used for OAuth-based authentication with the cloud management API. The key is identical across all installations, making it a static credential that can be extracted from any instance of the software.

Exploitation

An attacker who gains read access to the affected file system—either through local access, another vulnerability, or by obtaining a copy of the software—can retrieve the hardcoded OAUTH_SECRET_KEY [1]. No authentication or user interaction is required beyond file read capability. With the key, the attacker can craft valid OAuth tokens and impersonate the legitimate application when communicating with the cloud API.

Impact

Successful exploitation allows an attacker to authenticate to the Zyxel CloudCNM SecuManager cloud API as the application itself [1]. This can lead to unauthorized access to managed devices, configuration data, and potentially further compromise of the network management infrastructure. The impact is broad because the same secret key is shared across all deployments.

Mitigation

As of the publication date (2020-06-26), no official fix or patched version has been released by Zyxel [1]. Users are advised to restrict access to the affected file system, monitor for unauthorized access, and consider isolating the SecuManager appliance from untrusted networks. No workaround is provided in the available references.