CVE-2020-15344

Vulnerability

CVE-2020-15344 describes an unauthenticated API endpoint zy_get_user_id_and_key in Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1. The API does not require any authentication or authorization, allowing any remote attacker to query it and obtain sensitive user identifiers and API keys directly from the management interface [1].

Exploitation

An attacker can send a crafted HTTP request to the zy_get_user_id_and_key endpoint without needing any prior credentials, network position, or user interaction. Since the appliance has no firewall by default and some daemons are WAN-reachable [1], exploitation can be performed from the internet by simply targeting the exposed management web server.

Impact

Successful exploitation leaks user IDs and API keys, which are credentials that can be reused to access further functionality within the SecuManager. This disclosure could lead to unauthorized management actions, further information gathering, or serve as a stepping stone for more severe attacks like remote code execution via other backdoor APIs [1].

Mitigation

Zyxel has not released a patch for this vulnerability as of the publication date (2020-06-26). The device remains vulnerable; users should restrict network access to the management interface, place it behind a firewall, and monitor for any vendor updates. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog.