CRITICAL🇵🇱 Wersja polska

CVE-2023-3943

CVSS 10.0v3.1pub. 2024-05-21upd. 2026-04-15

Stack-based Buffer Overflow vulnerability in ZkTeco-based OEM devices allows, in some cases, the execution of arbitrary code. Due to the lack of protection mechanisms such as stack canaries and PIE, it is possible to successfully execute code even under restrictive conditions. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with firmware ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly others.

🤖 AI Analysis
How it works

The vulnerability results from a stack buffer overflow (CWE-121) that can occur over the network without requiring authentication or user interaction (CVSS vector: AV:N/AC:L/PR:N/UI:N). The devices do not implement typical defensive mechanisms — lacking stack canaries and Position Independent Executable (PIE) — which allows an attacker to precisely control program execution flow. Thanks to this, even under additional environmental restrictions, it is possible to effectively deliver and execute malicious payload.

Impact

An unauthenticated remote attacker can execute arbitrary code on the vulnerable device with potential full system control compromise, which at maximum CVSS score of 10.0 includes violation of confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the manufacturer in accordance with references. Due to lack of information about available patches, it is additionally recommended to isolate devices on the network (segmentation, firewall), restrict network access only to trusted hosts, and monitor network activity of these devices until official firmware update is deployed.

Who is affected

OEM devices based on the ZkTeco platform: ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and potentially other devices of this type running firmware ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly other firmware versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References