Insecure direct object reference in ZKTeco ZEM800

Posted date 04/09/2023
4 - High
Affected Resources

ZEM800, firmware version 6.60.


INCIBE has coordinated the publication of 1 vulnerability in ZKTeco ZEM800, a security device for access control and clocking in and out, which has been discovered by David Utón Amaya of Telefónica Tech team.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE-2023-4587: CVSS v3.1: 8,3 | CVSS: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | CWE-639.

The gama has been updated and it is recommended to upgrade to the latest version available. Moreover, the product is at the end of its life cycle.


CVE-2023-4587: an IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server.

References list