EUVD-2016-10811CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Tags
Description
ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages.
Analysis
ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery (CSRF) vulnerability that allows authenticated attackers to perform unauthorized administrative actions, specifically adding superadmin accounts without proper validation. An attacker can craft malicious HTTP requests that, when visited by a logged-in administrator, silently create new superadmin credentials, effectively granting the attacker persistent unauthorized administrative access. This vulnerability requires user interaction (a logged-in admin must visit an attacker-controlled page) but does not require elevated privileges to trigger, presenting a moderate but real risk to organizations using this biometric access control system.
Technical Context
The vulnerability exploits the absence of CSRF tokens or similar anti-CSRF mechanisms in ZKTeco ZKBioSecurity 3.0's administrative account creation endpoints. When a web application fails to validate that state-changing requests (such as adding users) originate from legitimate, authenticated sessions rather than cross-origin requests, it becomes vulnerable to CSRF attacks as defined by CWE-352. ZKBioSecurity is a biometric access control and time-attendance management platform deployed in enterprise environments, typically running on internal networks or cloud infrastructure. The absence of validity checks on superadmin account creation suggests that the application trusts the browser context of authenticated users implicitly, allowing an attacker to forge requests that the browser will automatically include with valid session cookies when the user visits a malicious site. This is a classic CSRF weakness in web applications handling sensitive operations without proper request origin validation or cryptographic tokens.
Affected Products
ZKTeco ZKBioSecurity versions 3.0 and likely earlier versions are affected by this CSRF vulnerability. Exact version boundaries have not been disclosed in publicly available references, but ZKBioSecurity 3.0 is explicitly mentioned as vulnerable. Organizations should check with ZKTeco for patch availability and version guidance. The product is commonly deployed in enterprise biometric access control installations across manufacturing, healthcare, and corporate environments.
Remediation
Upgrade ZKTeco ZKBioSecurity to the latest patched version provided by ZKTeco after confirming availability of security updates from the vendor. Until patching is possible, implement compensating controls: enforce HTTPS-only communication to all ZKBioSecurity administrative interfaces, restrict administrative access to trusted internal IP ranges via firewall rules, require VPN access for remote administration, and implement HSTS headers on the application. Conduct user awareness training to reduce the risk of administrators visiting untrusted websites while logged into administrative systems. Additionally, review and verify that ZKBioSecurity administrative endpoints implement proper CSRF token validation on all state-changing operations (POST/PUT/DELETE requests), and if not available in the current version, contact ZKTeco for patch timelines and interim guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today