Skip to content

24 Critical ZKTeco terminal flaws expose systems to command injection and other attacks

  • by
  • 4 min read

The ZKTeco biometric terminal is vulnerable to 24 flaws, which allow attackers to execute a range of malicious actions, including gaining unauthorised access to sensitive files, injecting malicious code into the terminal, bypassing authentication mechanisms to escalate privileges, manipulating network protocols to establish unauthorised communication channels, and executing remote commands on the terminal.

Overall, these 24 flaws can further be classified into the following heads:

  • 6 SQL injection flaws.
  • 7 buffer stack overflow flaws.
  • 5 command injection flaws.
  • 4 arbitrary file write flaws.
  • 2 arbitrary file read flaws.

Researchers have assigned CVE entries to these vulnerabilities for tracking and remediation purposes: CVE-2023-3938, CVE-2023-3939, CVE-2023-3940, CVE-2023-3941, CVE-2023-3942, CVE-2023-3943.

The attack on the ZKTeco biometric terminal is a sophisticated operation that exploits multiple flaws across various facets of the system. It begins by exploiting weaknesses in the authentication protocols of the terminal. Through meticulous reconnaissance, the attacker identifies vulnerabilities such as insecure authentication code generation and storage of credentials.

Using specialised tools, the attackers craft malicious authentication requests to bypass the terminal’s authentication mechanisms. This allows them to gain unauthorised access with escalated privileges, circumventing security controls meant to restrict access to authorised users.

Simultaneously, the attacker exploits SQL injection vulnerabilities discovered in the QR code scanning feature of the biometric terminal. They create malicious QR codes embedded with SQL injection payloads, taking advantage of lax input validation in the terminal’s QR code processing logic.

Source: Securelist

When the terminal scans these malicious codes, the injected SQL commands manipulate the underlying database queries. This manipulation enables the attack to extract sensitive information, modify data, or execute unauthorised actions within the system, further compromising its security.

In addition to SQL injection, the attacker leverages buffer overflow vulnerabilities identified within the biometric terminal’s network protocols. The attacker triggers buffer overflow conditions in the terminal’s network communication routines by crafting specially designed network packets that exceed buffer size limitations.

These overflowed data can overwrite any adjacent memory locations leading to arbitrary code execution or system crashes. this exploit grants the attacker unauthorised control over critical components of the terminal, potentially allowing them to execute malicious code or escalate privileges within the system.

The attacker gains control over file operations by exploiting vulnerabilities in the biometric terminal’s file handling commands. They create custom commands for downloading, uploading, deleting, or updating files, evading validation checks to access sensitive system files or insert malicious code.

Image download handler. | Source: Securelist

Furthermore, the attack users command injection tactics, embedding shell commands in filenames or input fields to deceive the terminal into running authorised commands with heightened privileges.

Moreover, the attack exploits flaws in network services and protocols running on the terminal, such as proprietary protocol on port 4370/TCP. By analysing network traffic and identifying weaknesses in protocol implementations, the attacker manoeuvres to exploit authentication bypasses, command injection flaws, or data manipulation vulnerabilities within network communication channels.

This exploitation allows the attacker to establish unauthorised communication channels, exfiltrate sensitive data, or execute remote commands on the terminal, potentially compromising its security integrity.

Overall, this multifaceted attack demonstrates a coordinated effort to exploit numerous vulnerabilities across authentication mechanisms, network protocols, file handling routines, and command execution functionalities within the ZKTeco biometric terminal.

“Biometric devices designed to improve physical security can both offer convenient, useful features and introduce new risks for your IT system,” said researchers from Securelist. “Our analysis of the ZKTeco biometric terminal yielded a total of 24 vulnerabilities. Many of those were similar, stemming from an error in the database wrapper library.”

In the News: Netgear’s budget-friendly router caught with critical security flaw

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: