CVE-2023-3938

## Vulnerability (Root Cause) An improper neutralization of special elements used in an SQL command (SQL injection) exists in ZkTeco-based OEM devices such as the ProFace X, Smartec ST-FR043, and ST-FR041ME running firmware ZAM170-NF-1.8.25-7354-Ver1.0.0. The vulnerability lies in the QR code handling routine: when the device's camera scans a QR code, the data is directly concatenated into an SQL query without sanitization. A quotation mark embedded in the QR code content can break the query's structure, allowing arbitrary SQL injection [1].

Exploitation

To exploit this vulnerability, an attacker must have physical access to the device in order to present a maliciously crafted QR code to its camera. No authentication is required; the device parses the QR code before any user login occurs. The attacker can craft the QR code to inject SQL commands that retrieve user records from the device's internal database [1].

Impact

Successful exploitation enables the attacker to extract user credentials or authentication tokens from the database, thereby allowing them to authenticate as any user stored on the device. This bypasses the intended biometric or PIN-based authentication [1].

Mitigation

As of the advisory date, no official patch was available. The vendor's recommended remediation is to apply a future firmware update once released. Device administrators should monitor vendor channels for patched firmware and consider limiting physical access to the device in the interim [1].