ZkTeco OEM Devices Vulnerable to OS Command Injection
CVE-2023-3939

10CRITICAL

Key Information:

Vendor: Zkteco
Status: Zkteco-based Oem Devices With Firmware Zam170-nf-1.8.25-7354-ver1.0.0
Vendor: CVE Published:; 21 May 2024

What is CVE-2023-3939?

An OS Command Injection vulnerability exists within ZkTeco-based OEM devices, allowing unauthorized execution of commands at the superuser level. The vulnerability stems from improper neutralization of special elements in the command processing, which can be exploited to execute harmful OS commands, potentially leading to full system compromise. This issue affects a variety of devices, including the ZkTeco ProFace X and several Smartec models. The exploitation of this vulnerability poses a serious threat, as the commands executed have maximum impact due to the elevated privileges associated with the superuser.

Affected Version(s)

ZkTeco-based OEM devices with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0 ZAM170-NF-1.8.25-7354-Ver1.0.0

References

https://github.com/klsecservices/Advisories/blob/master/K...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 21, 2024
Vulnerability Reserved
Jul 25, 2023

Credit

The vulnerability was discovered by Georgy Kiguradze from Kaspersky

Zkteco

What is CVE-2023-3939?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit