CVE-2023-3942

Name of the Vulnerable Software and Affected Versions ZKTeco-based OEM devices versions ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly other Standalone service versions 2.1.6-20200907 and possibly others

Description An SQL Injection vulnerability exists in ZKTeco-based OEM devices due to improper neutralization of special elements used in SQL commands. This issue allows an attacker to impersonate another user, perform unauthorized actions, access user data, and system parameters from the database.

Recommendations For ZKTeco-based OEM devices with firmware version ZAM170-NF-1.8.25-7354-Ver1.0.0, update the firmware to protect against SQL injection attacks. For Standalone service version 2.1.6-20200907, update the service to prevent unauthorized access and data manipulation. As a temporary workaround, consider restricting access to the database and system parameters until a patch is available. Avoid using potentially vulnerable SQL commands until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.