ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others
Impact: The described vulnerabilities allow you to access any file on the system.
Access Vector: Remote
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5
CVE-2023-3940
A vulnerability was discovered in a software component that permits arbitrary file reading. This flaw allows an attacker to specify file paths that bypass security checks, enabling unauthorized access to any file on the system, including sensitive user data and system settings. The vulnerability is exacerbated when processed with superuser privileges, increasing the risk of severe data exposure.
Apply patch from vendor when it will be available for your device.
Vulnerability was discovered by Georgy Kiguradze from Kaspersky.