CVE-2026-9508
Vulnerability Description
Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-732
Source
NVD
Discussion (0)
Add Comment
No comments yet. Be the first!