CVE-2024-22988

Vulnerability

CVE-2024-22988 affects ZKBio WDMS versions up to and including 8.0.5 (Build: 20211216.13375) [2]. The vulnerability lies in the /files/backup/ endpoint, where the backup filename is derived from a predictable timestamp stored in a configuration file [1][4]. This makes the backup file discoverable and accessible without proper authentication [3].

Exploitation

An attacker can exploit this vulnerability remotely without any prior authentication [2]. By analyzing the timestamp generation logic (e.g., from a publicly exposed config file or pattern brute-force), the attacker can enumerate possible backup filenames and download the database via a simple HTTP GET request to /files/backup/<predicted_filename> [4]. No user interaction or special network position beyond internet access is required [2][4].

Impact

Successful exploitation allows an attacker to download the entire database backup file [1][3]. This leads to full disclosure of sensitive data stored in the ZKBio WDMS database, including user credentials, biometric templates, and other Personally Identifiable Information (PII). The attacker gains no direct code execution, but the information could be used for further attacks [4].

Mitigation

ZKTeco has addressed this vulnerability in ZKBio WDMS version 9.0.2 (Build: 20250526) [3]. All users on version 8.0.5 or earlier are strongly advised to update to the latest version immediately [3]. The patch can be obtained from the official ZKTeco website, via email at xmtam@zkteco.com, by calling 400-6900-999, or through regional ZKTeco branches [3]. There is no known workaround for unpatched installations.