PT-2026-44832 · Suprema+1 · Biostar 2+1
Published
2026-05-29
·
Updated
2026-05-29
·
CVE-2026-9508
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L |
Name of the Vulnerable Software and Affected Versions
Suprema BioStar 2 versions 2.9.3 through 2.9.11
Description
Incorrect permission settings on a critical resource allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. An attacker with network access can directly download backup ZIP files via the endpoint 'http(s)://[server]/download/...' without authentication. This leads to the disclosure of sensitive information, which may enable server impersonation, unauthorized database access, and lateral movement within the network.
Recommendations
For versions 2.9.3 through 2.9.11, ensure that backup paths are not configured within the NGINX webroot to prevent public exposure of backup files.
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Biostar 2
Nginx