CVE-2016-20028

Vulnerability

Overview

ZKTeco ZKBioSecurity 3.0, a web-based security platform integrating access control, video, elevator, and visitor management, is affected by a cross-site request forgery (CSRF) vulnerability [1][2][3][4]. The application fails to perform any validity checks on HTTP requests, allowing attackers to craft requests that add new superadmin accounts without authentication or authorization checks [1][2].

Exploitation

An attacker can exploit this by hosting a malicious web page containing a hidden form that submits to the application's authUserAction!edit.action endpoint [2][3]. When a logged-in administrator visits the attacker's page, the form is automatically submitted, creating a new superadmin account with attacker-controlled credentials [2][3]. No additional authentication is required beyond the victim's active session.

Impact

Successful exploitation grants the attacker full administrative privileges over the ZKBioSecurity system [1][4]. This includes the ability to manage users, access control settings, video surveillance, elevator controls, and visitor records, potentially compromising physical security and sensitive data [2][3].

Mitigation

As of the latest known information, ZKTeco has not released a patch for this vulnerability [4]. Users are advised to implement CSRF tokens or other anti-CSRF mechanisms, restrict access to the application, and monitor for unauthorized account creation. The vulnerability affects versions up to 3.0.1.0_R_230 [2][3][4].