CVE-2020-15335

Vulnerability

The /registerCpe endpoint in Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 does not require authentication [1]. The xmppCnrSender.py module, responsible for handling CPE registration via XMPP, communicates in cleartext and performs no authentication checks, allowing an attacker to send arbitrary registration requests [1].

Exploitation

An attacker needs only network access to the affected SecuManager appliance (no authentication or user interaction required). By sending crafted requests to the /registerCpe endpoint, the attacker can register unauthorized CPE devices without any credentials [1]. The XMPP communication used for this registration is also unauthenticated and transmitted in cleartext, making it trivial to observe or forge messages [1].

Impact

Successful exploitation enables an attacker to impersonate a legitimate CPE device or add rogue devices to the management system. This can lead to unauthorized control over managed security gateways, potential interception or manipulation of management traffic, and further compromise of the network infrastructure [1].

Mitigation

Zyxel has not released a patch for CVE-2020-15335 as of the advisory publication (March 2020). The product version 3.1.0/3.1.1 appears to be the latest and may be end-of-life (EOL) or end-of-support (EOS). No workaround is documented. Administrators should restrict network access to the SecuManager appliance via firewall rules and monitor for unauthorized CPE registration attempts [1].