CVE-2020-15333

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 contain a vulnerability where the MySQL database allows unauthenticated queries. An attacker can execute select * from Administrator_users and select * from Users_users to retrieve all user accounts and their credentials [1]. The MySQL service is exposed and lacks authentication controls.

Exploitation

An attacker with network access to the MySQL port (default 3306) can connect to the database without authentication and run the two SELECT queries [1]. No prior credentials, user interaction, or special privileges are required. The attack is a simple network-level query.

Impact

Successful exploitation results in complete disclosure of all administrator and regular user accounts, including their hashed or plaintext passwords depending on storage [1]. This allows the attacker to authenticate to the SecuManager web interface and gain unauthorized administrative access, leading to full compromise of the network management platform.

Mitigation

Zyxel released a fix; users should upgrade to a patched version as soon as available [1]. If an upgrade is not immediately possible, restrict network access to the MySQL service using firewall rules to limit exposure to trusted hosts only. The affected versions are 3.1.0 and 3.1.1.