CVE-2020-15342

Vulnerability

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 expose an unauthenticated zy_install_user API endpoint. This API does not require any authentication, enabling an attacker to call it directly without prior access to the system [1].

Exploitation

An attacker with network connectivity to the SecuManager instance can send HTTP requests to the zy_install_user API endpoint. No authentication, user interaction, or special network position beyond reachability is required. The attacker can craft a request to install a new user account with arbitrary parameters [1].

Impact

Successful exploitation allows the attacker to create a user account on the SecuManager, potentially with administrative privileges. This leads to full compromise of the management platform, enabling further actions such as device configuration changes, data exfiltration, or lateral movement within the managed network [1].

Mitigation

Zyxel has not released a public fix for this vulnerability as of the available references. Users are advised to restrict network access to the SecuManager appliance and monitor for unauthorized API calls. The product may be end-of-life; contacting Zyxel support for guidance is recommended [1].