ZKTeco OEM Devices Vulnerable to SQL Injection Attacks
CVE-2023-3942

7.5HIGH

Key Information:

Vendor: Zkteco
Status: Zkteco-based Oem Devices With Firmware Zam170-nf-1.8.25-7354-ver1.0.0, Standalone Service V. 2.1.6-20200907
Vendor: CVE Published:; 21 May 2024

What is CVE-2023-3942?

An SQL Injection vulnerability has been identified in ZKTeco-based OEM devices, stemming from inadequate handling of special characters used in SQL commands. This flaw can allow attackers to impersonate legitimate users or carry out unauthorized actions within the system. Additionally, attackers may gain access to crucial user data and system parameters stored in the database. Commonly affected devices include the ZKTeco ProFace X and Smartec models ST-FR043 and ST-FR041ME. Users of versions ZAM170-NF-1.8.25-7354-Ver1.0.0 and Standalone service version 2.1.6-20200907 should take immediate precautions to secure their systems and update affected firmware.

Affected Version(s)

ZkTeco-based OEM devices with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0, Standalone service v. 2.1.6-20200907 ZAM170-NF-1.8.25-7354-Ver1.0.0

ZkTeco-based OEM devices with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0, Standalone service v. 2.1.6-20200907 Standalone service v. 2.1.6-20200907

References

https://github.com/klsecservices/Advisories/blob/master/K...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 21, 2024
Vulnerability Reserved
Jul 25, 2023

Credit

The vulnerability was discovered by Georgy Kiguradze from Kaspersky

Zkteco

What is CVE-2023-3942?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit