CRITICAL🇵🇱 Wersja polska

CVE-2026-9508

CVSS 10.0v4.0pub. 2026-05-29

Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.

🤖 AI Analysis
How it works

When a BioStar 2 system administrator configures the backup file path inside the NGINX server's root directory (webroot), these files become publicly accessible via HTTP/HTTPS. Incorrect permissions on this critical resource (CWE-732) do not enforce any access control or authentication. An attacker can directly download the backup ZIP archive by sending an HTTP(S) request to the address 'http(s)://[server]/download/…' without providing any authentication credentials.

Impact

An attacker can download backup files containing highly sensitive data, which may lead to server impersonation, unauthorized database access, and lateral movement within the victim's network.

Mitigation & patch

Apply patches available from the manufacturer in accordance with the references provided. Until an update is applied, it is recommended to move the backup file storage path outside the NGINX server's webroot directory and verify access permissions for directories containing backups.

Who is affected

Suprema BioStar 2 versions 2.9.3 to 2.9.11 (inclusive), when the backup path is configured in the NGINX server's webroot directory

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References