CVE-2023-3939

Name of the Vulnerable Software and Affected Versions ZkTeco-based OEM devices version ZAM170-NF-1.8.25-7354-Ver1.0.0

Description The issue is related to an OS Command Injection vulnerability, which allows for the execution of arbitrary commands. This vulnerability affects ZkTeco-based OEM devices, including ZkTeco ProFace X, Smartec ST-FR043, and Smartec ST-FR041ME, and possibly others. The impact of this issue is maximum possible since all found command implementations are executed from the superuser.

Recommendations For ZkTeco-based OEM devices version ZAM170-NF-1.8.25-7354-Ver1.0.0, consider disabling the vulnerable command implementations until a patch is available. Restrict access to the affected devices to minimize the risk of exploitation. Avoid using the vulnerable firmware version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.