CVE-2023-3942 Information

Description

An ‘SQL Injection’ vulnerability due to improper neutralization of special elements used in SQL commands exists in ZKTeco-based OEM devices. This vulnerability allows an attacker to in some cases impersonate another user or perform unauthorized actions. In other instances it enables the attacker to access user data and system parameters from the database. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X Smartec ST-FR043 Smartec ST-FR041ME and possibly others)

with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly other Standalone service v. 2.1.6-20200907 and possibly others.

Reference

https://github.com/klsecservices/Advisories/blob/master/K-ZkTeco-2023-005.md