CVE-2024-35428 – ZKTeco ZKBio CVSecurity 6.1.1 has a directory t... (How to Fix)

📋 TL;DR

ZKTeco ZKBio CVSecurity 6.1.1 has a directory traversal vulnerability in the BaseMediaFile component that allows authenticated users to delete arbitrary files on the server. This can lead to denial of service by deleting critical system files. Organizations using ZKBio CVSecurity 6.1.1 for access control and security management are affected.

💻 Affected Systems

Products:

ZKTeco ZKBio CVSecurity

Versions: 6.1.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the ZKBio CVSecurity web interface. The vulnerability is in the BaseMediaFile component used for media file management.

📦 What is this software?

Zkbio Cvsecurity by Zkteco

View all CVEs affecting Zkbio Cvsecurity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical OS files, causing permanent data loss and extended service downtime requiring full system restoration.

🟠

Likely Case

Targeted deletion of application or configuration files causing service disruption, requiring file restoration from backups and temporary system unavailability.

🟢

If Mitigated

Limited impact to non-critical files with quick restoration from backups and minimal service interruption.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but uses simple directory traversal techniques. Public proof-of-concept demonstrates file deletion capability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Contact ZKTeco support for patch availability
2. Monitor ZKTeco security advisories
3. Apply patch when available following vendor instructions

🔧 Temporary Workarounds

Restrict File System Access

windows

Limit the application's file system permissions to prevent deletion of critical files

Run ZKBio CVSecurity service under a restricted user account with minimal file permissions

Network Segmentation

all

Isolate ZKBio CVSecurity systems from critical infrastructure

Implement firewall rules to restrict access to ZKBio CVSecurity management interface

🧯 If You Can't Patch

Implement strict access controls and monitor authenticated user activities
Maintain regular backups of critical system and application files

🔍 How to Verify

Check if Vulnerable:

Check if running ZKBio CVSecurity version 6.1.1 via the web interface or application properties

Check Version:

Check web interface login page or application About section

Verify Fix Applied:

Verify version has been updated beyond 6.1.1 or test directory traversal attempts are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual file deletion events in application logs
Multiple failed file access attempts with directory traversal patterns

Network Indicators:

HTTP requests containing '../' patterns to BaseMediaFile endpoints
Unusual file deletion requests from authenticated sessions

SIEM Query:

source="zkbio_logs" AND (event="file_delete" OR url="*BaseMediaFile*") AND (path="*../*" OR path="*..\\*")

📊 Metadata

CVE ID: CVE-2024-35428

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-22

Published: May 30, 2024

Last Updated: March 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35428, you might also want to check these: