CVE-2024-22988 – This vulnerability in ZKteco ZKBio WDMS allows ... (How to Fix)

Q: What is the severity of CVE-2024-22988?

CVE-2024-22988 has a CVSS score of 9.8 (CRITICAL). This vulnerability in ZKteco ZKBio WDMS allows attackers to download database backups by predicting timestamp-based filenames in the /files/backup/ component. Attackers can access sensitive data including user credentials, biometric templates, and system configurations. Organizations using ZKBio WDMS versions before 9.0.2 Build 20250526 are affected.

📋 TL;DR

This vulnerability in ZKteco ZKBio WDMS allows attackers to download database backups by predicting timestamp-based filenames in the /files/backup/ component. Attackers can access sensitive data including user credentials, biometric templates, and system configurations. Organizations using ZKBio WDMS versions before 9.0.2 Build 20250526 are affected.

💻 Affected Systems

Products:

ZKteco ZKBio WDMS

Versions: All versions before 9.0.2 Build 20250526

Operating Systems: Windows (primary deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations with the backup component enabled. The vulnerability exists in the web interface component.

📦 What is this software?

Zkbio Wdms by Zkteco

View all CVEs affecting Zkbio Wdms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with access to all biometric data, user credentials, and system configurations leading to identity theft, unauthorized physical access, and data exfiltration.

🟠

Likely Case

Data breach exposing sensitive biometric and personal information, credential harvesting for lateral movement, and potential compliance violations.

🟢

If Mitigated

Limited exposure if proper access controls and network segmentation are implemented, though backup files remain accessible if predictable naming is exploited.

🌐 Internet-Facing: HIGH - Directly exploitable over HTTP/HTTPS without authentication, making internet-facing instances immediate targets.

🏢 Internal Only: HIGH - Even internally, attackers with network access can exploit this vulnerability to gain sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to predictable URLs. Public proof-of-concept scripts are available demonstrating the attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.2 Build 20250526

Vendor Advisory: https://www.zkteco.com/en/Security_Bulletinsibs/12

Restart Required: Yes

Instructions:

1. Download the latest version from ZKteco official website. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the WDMS service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Block Backup Directory Access

all

Configure web server or firewall to block access to /files/backup/ path

# For Apache: RewriteRule ^/files/backup/.*$ - [F,L]
# For Nginx: location ~ ^/files/backup/ { deny all; }
# For Windows Firewall: New-NetFirewallRule -DisplayName "Block ZKBio Backup" -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress Any -Action Block

Implement Access Controls

all

Add authentication requirements for backup directory access

# Apache basic auth example: AuthType Basic
AuthName "Restricted Access"
AuthUserFile /path/to/.htpasswd
Require valid-user
# Nginx auth example: auth_basic "Restricted";
auth_basic_user_file /path/to/.htpasswd;

🧯 If You Can't Patch

Implement network segmentation to isolate ZKBio WDMS from untrusted networks
Deploy web application firewall (WAF) with rules to block requests to /files/backup/ patterns

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[target]/files/backup/ with predictable timestamp-based filenames (e.g., backup_20250526.zip). If backup files are accessible without authentication, the system is vulnerable.

Check Version:

Check the web interface login page or about section, or examine installed program version in Windows Control Panel.

Verify Fix Applied:

After patching, attempt the same access attempts. They should return 403/404 errors or require authentication. Check that version shows 9.0.2 Build 20250526 or later.

📡 Detection & Monitoring

Log Indicators:

HTTP 200 responses for /files/backup/ requests
Large file downloads from backup directory
Multiple failed authentication attempts followed by backup access

Network Indicators:

Unusual patterns of requests to /files/backup/ with timestamp patterns
Large outbound transfers from the WDMS server

SIEM Query:

source="web_server_logs" AND (uri_path="/files/backup/*" OR user_agent CONTAINS "curl" OR user_agent CONTAINS "wget") AND response_code=200

📊 Metadata

CVE ID: CVE-2024-22988

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: February 23, 2024

Last Updated: June 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22988, you might also want to check these: