CVE-2022-42953
Description
ZKTeco biometric devices expose sensitive configuration data via direct requests to unauthenticated URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ZKTeco biometric devices expose sensitive configuration data via direct requests to unauthenticated URLs.
Vulnerability
Certain ZKTeco biometric devices, including ZEM500-510-560-760, ZEM600-800, ZEM720, and ZMM series models, are vulnerable to information disclosure through direct HTTP requests to the /form/DataApp?style=1 and /form/DataApp?style=0 URLs. This vulnerability affects firmware versions before 8.88 (for the ZEM range) and before 15.00 (for the ZMM range). The flaw resides in the device's web interface, which exposes sensitive configuration data without requiring authentication. [1]
Exploitation
An attacker can exploit this vulnerability by sending crafted HTTP GET requests to the targeted device's web server at the paths form/DataApp?style=1 or form/DataApp?style=0. The attacker does not need any prior authentication, user interaction, or special network position beyond network access to the device. No race condition or privileged access is required. The attack is simple and can be performed with standard HTTP tools. [1]
Impact
Successful exploitation allows an attacker to retrieve sensitive information from the device, including device configuration, network settings, and potentially user credentials or other private data. This information disclosure can aid in further attacks against the device or the network it resides on. The impact is limited to information disclosure, but the exposed data can be highly sensitive. [1]
Mitigation
ZKTeco has released firmware version 8.88 for the ZEM500-510-560-760, ZEM600-800, and ZEM720 models, and firmware version 15.00 for the ZMM200-220-210 models, which fix this vulnerability. Users are advised to update their devices to the latest firmware versions. If updating is not immediately possible, restricting network access to the device's web interface via firewall rules or network segmentation can reduce exposure. The CVE is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- ZKTeco/ZEM500-510-560-760, ZEM600-800, ZEM720, ZMMdescription
- Range: <8.88
- Range: <8.88
- Range: <15.00
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The web interface of the ZKTeco devices does not require authentication, exposing sensitive employee data."
Attack vector
An attacker can access sensitive information by directly requesting the form/DataApp?style=1 and form/DataApp?style=0 URLs on the affected ZKTeco devices. The advisory states that the device "does not require authentication to use the web interface, exposing the database of employees and their credentials" [ref_id=1]. This allows unauthorized access to user data without any authentication mechanism.
Affected code
The vulnerability lies within the web interface of the ZKTeco ZEM/ZMM devices. The advisory highlights that the web server does not enforce authentication, allowing direct access to sensitive data through specific URLs like form/DataApp?style=1 and form/DataApp?style=0 [ref_id=1].
What the fix does
The advisory indicates that fixed versions of the firmware have been released for the affected devices. Specifically, firmware version 8.88 resolves the issue for ZEM500-510-560-760, ZEM600-800, and ZEM720, while version 15.00 fixes ZMM200-220-210. Updating to these versions is recommended to remediate the vulnerability.
Preconditions
- networkThe attacker must have network access to the ZKTeco device.
- inputThe attacker must know or be able to discover the IP address of the ZKTeco device.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.