CVE-2020-15343

Vulnerability

The Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 contain an unauthenticated zy_install_user_key API endpoint. This API allows an attacker to install a new user key without any authentication or authorization checks, trivial to exploit as the endpoint is reachable over the network without credentials [1].

Exploitation

An attacker can directly send a crafted HTTP request to the zy_install_user_key API without requiring any prior authentication, session, or special network position. The reference notes that the appliance runs daemons as root and lacks a firewall by default, making the endpoint accessible from the WAN [1]. The simple exploitation involves posting a chosen key, which the server will install.

Impact

By exploiting this API, an attacker can install a new user key, effectively creating a backdoor account or granting unauthorized access to the SecuManager platform. This can lead to full compromise of the device, enabling further privilege escalation, data exfiltration, or lateral movement within the managed network [1].

Mitigation

As of the reference publication date (March 2020), no official patch had been released by Zyxel for these vulnerabilities [1]. Users are advised to restrict network access to the SecuManager appliance, ensure it is not exposed to the internet, and monitor for vendor updates. The product may be end-of-life; contact Zyxel support for remediation guidance.