Access Control Issue in ZKTeco ZKBioSecurity
CVE-2022-36634

8.8HIGH

Key Information:

Vendor: Zkteco
Status: Zkbiosecurity V5000
Vendor: CVE Published:; 7 October 2022

What is CVE-2022-36634?

The ZKTeco ZKBioSecurity V5000 version 3.0.5_r is susceptible to an access control vulnerability that enables unauthorized attackers to create admin user accounts through specially crafted HTTP requests. This flaw could potentially lead to a complete compromise of the affected system, allowing malicious actors to gain administrative privileges and control over the security environment.

References

http://zkbiosecurity.com

http://zkteco.com

https://seclists.org/fulldisclosure/2022/Sep/29

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 7, 2022
Vulnerability Reserved
Jul 25, 2022

Zkteco

What is CVE-2022-36634?

References

CVSS V3.1

Timeline