ZKTeco OEM Devices Vulnerable to SQL Injection Attacks
CVE-2023-3942

7.5HIGH

Key Information:

Vendor

Zkteco

Status
Zkteco-based Oem Devices With Firmware Zam170-nf-1.8.25-7354-ver1.0.0, Standalone Service V. 2.1.6-20200907
Vendor
CVE Published:
21 May 2024

What is CVE-2023-3942?

An SQL Injection vulnerability has been identified in ZKTeco-based OEM devices, stemming from inadequate handling of special characters used in SQL commands. This flaw can allow attackers to impersonate legitimate users or carry out unauthorized actions within the system. Additionally, attackers may gain access to crucial user data and system parameters stored in the database. Commonly affected devices include the ZKTeco ProFace X and Smartec models ST-FR043 and ST-FR041ME. Users of versions ZAM170-NF-1.8.25-7354-Ver1.0.0 and Standalone service version 2.1.6-20200907 should take immediate precautions to secure their systems and update affected firmware.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ZkTeco-based OEM devices with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0, Standalone service v. 2.1.6-20200907 ZAM170-NF-1.8.25-7354-Ver1.0.0

ZkTeco-based OEM devices with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0, Standalone service v. 2.1.6-20200907 Standalone service v. 2.1.6-20200907

References

https://github.com/klsecservices/Advisories/blob/master/K...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

The vulnerability was discovered by Georgy Kiguradze from Kaspersky
JSON
.