CVE-2020-15345
Description
Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_instances_for_update API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated API call in Zyxel CloudCNM SecuManager 3.1.0/3.1.1 leaks instance data.
Vulnerability
The Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 expose an unauthenticated API endpoint zy_get_instances_for_update. This API call requires no authentication or prior knowledge, making it accessible to any attacker who can reach the management interface [1].
Exploitation
An attacker with network access to the SecuManager web interface can directly call zy_get_instances_for_update without any authentication, user interaction, or privileges. No special conditions are required beyond network connectivity [1].
Impact
Successful exploitation allows an unauthenticated remote attacker to retrieve instance-level information from the SecuManager, potentially revealing the managed security gateway inventory and configuration details. This is a confidentiality breach that can aid in further targeted attacks [1].
Mitigation
Zyxel has not released a fixed version for this specific vulnerability in the available references [1]. As a workaround, administrators should restrict network access to the SecuManager’s web interface using a firewall or VLAN segmentation, limiting exposure to trusted networks only [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zyxel/CloudCNM SecuManagerdescription
- Range: >= 3.1.0, <= 3.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.htmlmitrex_refsource_MISC
- www.zyxel.com/support/vulnerabilities-of-CloudCNM-SecuManager.shtmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.