CVE-2016-20024

Summary

ZKTeco ZKTime.Net 3.0.1.6 contains an insecure file permissions vulnerability that allows unprivileged users to escalate privileges by modifying executable files. Attackers can exploit world-writable permissions on the ZKTimeNet3.0 directory and its contents to replace executable files with malicious binaries for privilege escalation.

Affected Software

VendorProductVersion RangeStatus
ZKTeco Inc.ZKTeco ZKTime.Net3.0.1.6affected
ZKTeco Inc.ZKTeco ZKTime.Net3.0.1.5 (160622)affected
ZKTeco Inc.ZKTeco ZKTime.Net3.0.1.1 (160216)affected

Weaknesses

  • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References