CVE-2022-42953
CVE-2022-42953
In short
ZKTeco time clock devices expose sensitive information through specific web URLs that don't require proper authentication. An attacker can directly access these URLs to retrieve confidential data without logging in.
Technical detail
CWE-425 (Direct Request) vulnerability in ZKTeco biometric devices allows unauthenticated access to sensitive information via form/DataApp endpoints with style parameters. The attack requires network access to the affected device's web interface; successful exploitation retrieves confidential data without authentication.
Summary generated and translated by AI from the official description.
Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · n/apublic PoCs found — 1
exploitdbwww.exploit-db.com/exploits/51112unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →