Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system with root privileges. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others.
The vulnerability stems from improper validation of relative paths (Relative Path Traversal, CWE-23) in device software. An attacker can submit a crafted network request containing path-changing sequences (e.g., '../'), which allows escaping the permitted directory and writing arbitrary content anywhere on the file system. The operation is performed with the highest system privileges (root), eliminating any access restrictions.
An attacker can overwrite or create any file on the system with root privileges, which in practice enables full control over the device — including installation of backdoors, configuration modification, disruption of access control system operation, or permanent compromise of the device.
Patches available from the manufacturer should be applied in accordance with the references. It is also recommended to restrict network access to affected devices through network segmentation and firewall rules, so that access to the device interface is possible only from trusted network segments.
OEM devices based on ZkTeco platform, including ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME, and likely other OEM models, running ZkTeco ZAM170-NF-1.8.25-7354-Ver1.0.0 firmware and possibly other firmware versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H