Python Code Injection in Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1
CVE-2020-15348

9.8CRITICAL

Key Information:

Vendor: Zyxel
Status: Cloud Cnm Secumanager
Vendor: CVE Published:; 26 June 2020

What is CVE-2020-15348?

Zyxel CloudCNM SecuManager versions 3.1.0 and 3.1.1 are susceptible to a code injection vulnerability that allows attackers to execute arbitrary Python code. By exploiting the endpoint for deleting CPEs by IDs, unauthorized users can manipulate the eval function, leading to potential system compromise. It is crucial for users of the affected versions to apply the necessary security updates to mitigate this risk.

References

https://pierrekim.github.io/blog/2020-03-09-zyxel-secuman...

x_refsource_MISC

https://www.zyxel.com/support/vulnerabilities-of-CloudCNM...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2020
Vulnerability Reserved
Jun 26, 2020