CVE-2020-15348

Vulnerability

A pre-authenticated remote code execution vulnerability exists in Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1. The live/CPEManager/AXCampaignManager/delete_cpes_by_ids?cpe_ids= endpoint passes user-supplied input directly to a Python eval() call, allowing injection of arbitrary Python code [1]. An attacker can reach this endpoint without any authentication, as the device lacks a default firewall and exposes management interfaces to the WAN [1].

Exploitation

An unauthenticated attacker with network access to the SecuManager appliance can craft an HTTP GET request to the vulnerable endpoint, embedding malicious Python code in the cpe_ids parameter. No prior authentication or user interaction is required [1]. The attacker simply sends a request such as https://target/live/CPEManager/AXCampaignManager/delete_cpes_by_ids?cpe_ids=__import__('os').system('id') to achieve code execution [1].

Impact

Successful exploitation yields arbitrary Python code execution on the SecuManager server. This can be leveraged to execute operating system commands, potentially leading to full compromise of the appliance, including data exfiltration, installation of backdoors, or lateral movement within the network [1]. The impact is critical (CVSS 9.8) as it requires no privileges and no user interaction.

Mitigation

As of the publication date (2020-06-26), no official patch was available from Zyxel [1]. The vendor was reportedly notified but did not respond, and the product may have reached end-of-life [1]. Organizations should immediately isolate any CloudCNM SecuManager instances from untrusted networks, apply strict firewall rules, and consider decommissioning the appliance if possible. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the knowledge cutoff.