Insecure direct object reference in ZKTeco ZEM800
Description
Insecure direct object reference in ZKTeco ZEM800 (v6.60) allows local network attacker to obtain user backup and device config files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insecure direct object reference in ZKTeco ZEM800 (v6.60) allows local network attacker to obtain user backup and device config files.
Vulnerability
An IDOR vulnerability (CWE-639) has been found in ZKTeco ZEM800 firmware version 6.60, as reported in [1]. The bug allows an attacker to access registered user backup files and device configuration files without proper authorization. The product is at the end of its life cycle.
Exploitation
An attacker with local network access (adjacent network) or through a VPN server can exploit this vulnerability without authentication or user interaction [1]. By sending crafted requests, the attacker can directly access the files.
Impact
Successful exploitation leads to disclosure of sensitive user data and device configuration, compromising confidentiality and integrity. The CVSS v3.1 base score is 8.3, indicating high impact on confidentiality and integrity, with low impact on availability [1].
Mitigation
The vendor has released an updated firmware version; it is recommended to upgrade to the latest available version [1]. As the product is end-of-life, no further patches are expected. No workarounds have been provided.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ZKTeco/ZEM800v5Range: 6.60
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.