Georgy Kiguradze

**Name of the Vulnerable Software and Affected Versions** ZkTeco ProFace X versions prior to the fixed version Smartec ST-FR043 versions prior to the fixed version Smartec ST-FR041ME versions prior to the fixed version ZkTeco-based OEM devices versions prior to the fixed version, including those with ZAM170-NF-1.8.25-7354-Ver1.0.0 **Description** The issue is related to a Relative Path Traversal vulnerability in the Handler for User Photo Upload Command and Handler for Picture Upload Command components of ZkTeco-based OEM devices. This vulnerability can be exploited by an attacker to write any file on the system with root privileges, potentially allowing them to elevate their privileges and gain access to read, modify, or delete data. The vulnerability affects devices used in high-security sectors, including nuclear plants, hospitals, and offices, which support advanced authentication methods such as facial recognition and QR-code scanning. **Recommendations** For ZkTeco ProFace X, update to a version that includes a fix for this issue. For Smartec ST-FR043, update to a version that includes a fix for this issue. For Smartec ST-FR041ME, update to a version that includes a fix for this issue. For ZkTeco-based OEM devices, update to a version that includes a fix for this issue, including those with ZAM170-NF-1.8.25-7354-Ver1.0.0. As a temporary workaround, consider restricting access to the vulnerable components until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZkTeco-based OEM devices version ZAM170-NF-1.8.25-7354-Ver1.0.0 **Description** The issue is related to an OS Command Injection vulnerability, which allows for the execution of arbitrary commands. This vulnerability affects ZkTeco-based OEM devices, including ZkTeco ProFace X, Smartec ST-FR043, and Smartec ST-FR041ME, and possibly others. The impact of this issue is maximum possible since all found command implementations are executed from the superuser. **Recommendations** For ZkTeco-based OEM devices version ZAM170-NF-1.8.25-7354-Ver1.0.0, consider disabling the vulnerable command implementations until a patch is available. Restrict access to the affected devices to minimize the risk of exploitation. Avoid using the vulnerable firmware version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ZkTeco ProFace X versions prior to the fixed version Smartec ST-FR043 versions prior to the fixed version Smartec ST-FR041ME versions prior to the fixed version ZkTeco-based OEM devices versions prior to the fixed version ZkTeco-based OEM devices with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others Description: The issue is related to a stack-based buffer overflow vulnerability in ZkTeco-based OEM devices, which can allow the execution of arbitrary code due to the lack of protection mechanisms such as stack canaries and PIE. This vulnerability can be exploited by a remote attacker. Recommendations: For ZkTeco ProFace X, update to a version that includes the fix for this issue. For Smartec ST-FR043, update to a version that includes the fix for this issue. For Smartec ST-FR041ME, update to a version that includes the fix for this issue. For ZkTeco-based OEM devices, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling any functionality that may be using the vulnerable code until a patch is available. Restrict access to the devices to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ZKTeco-based OEM devices versions ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly other Standalone service versions 2.1.6-20200907 and possibly others **Description** An SQL Injection vulnerability exists in ZKTeco-based OEM devices due to improper neutralization of special elements used in SQL commands. This issue allows an attacker to impersonate another user, perform unauthorized actions, access user data, and system parameters from the database. **Recommendations** For ZKTeco-based OEM devices with firmware version ZAM170-NF-1.8.25-7354-Ver1.0.0, update the firmware to protect against SQL injection attacks. For Standalone service version 2.1.6-20200907, update the service to prevent unauthorized access and data manipulation. As a temporary workaround, consider restricting access to the database and system parameters until a patch is available. Avoid using potentially vulnerable SQL commands until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZkTeco ProFace X versions ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others Smartec ST-FR043 versions ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others Smartec ST-FR041ME versions ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others **Description** The issue is related to errors in processing relative paths to directories, allowing an attacker to bypass security restrictions and gain unauthorized access to protected information. This vulnerability enables an attacker to access any file on the system. **Recommendations** For ZkTeco ProFace X version ZAM170-NF-1.8.25-7354-Ver1.0.0, consider disabling access to sensitive files until a patch is available. For Smartec ST-FR043 version ZAM170-NF-1.8.25-7354-Ver1.0.0, restrict access to the file system to minimize the risk of exploitation. For Smartec ST-FR041ME version ZAM170-NF-1.8.25-7354-Ver1.0.0, avoid using relative paths in directory processing until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OMRON CP1L-EL20DR-D all versions **Description** The issue is related to the implementation of the Factory Interface Network Service (FINS) protocol in the OMRON CP1L-EL20DR-D programmable logic controller's firmware, specifically due to insufficient protection of service data in the debug code implementation. This could allow a remote attacker to read, modify, or delete files, execute arbitrary code, or cause a denial-of-service condition. The presence of active debug code may lead to the execution of unspecified FINS protocol commands without authentication, enabling a remote unauthenticated attacker to read/write in arbitrary areas of the device memory. This could result in overwriting the firmware, causing a denial-of-service condition, and/or arbitrary code execution. **Recommendations** As a temporary workaround, consider disabling the debug code functionality until a patch is available. Restrict access to the device to minimize the risk of exploitation. Avoid using the device until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Dell EMC iDRAC9 versions prior to 4.20.20.20 **Description** The issue allows a remote authenticated malicious user with low privileges to potentially gain unauthorized read access to arbitrary files by manipulating input parameters. **Recommendations** For versions prior to 4.20.20.20, update to version 4.20.20.20 or later to resolve the issue.