CVE-2026-9508Critical

Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be pub…

CVSS

10.0

Critical

EPSS

0.00

p23

Published

2026-01-01

Updated

2026-01-01

Description

Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.

Tags · CWE

Pre-auth

CWE-732

CAPEC-1

CAPEC-17

CAPEC-60

CAPEC-61

CAPEC-62

CAPEC-122

CAPEC-127

CAPEC-180

CAPEC-206

CAPEC-234

CAPEC-642

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

2026-01-01

Published

2026-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Attack Requirements

AT: N

None

Privileges Required

PR: N

None (N)

User Interaction

UI: N

None (N)

Vulnerable System Confidentiality

VC: H

High (H)

Vulnerable System Integrity

VI: H

High (H)

Vulnerable System Availability

VA: L

Low (L)

Subsequent System Confidentiality

SC: H

High (H)

Subsequent System Integrity

SI: H

High (H)

Subsequent System Availability

SA: L

Low (L)

Exploit Code Maturity

E: X

Not Defined

Confidentiality Requirement

CR: X

Not Defined

Integrity Requirement

IR: X

Not Defined

Availability Requirement

AR: X

Not Defined

Modified Attack Vector

MAV: X

Not Defined

Modified Attack Complexity

MAC: X

Not Defined

Modified Attack Requirements

MAT: X

Not Defined

Modified Privileges Required

MPR: X

Not Defined

Modified User Interaction

MUI: X

Not Defined

Modified Vulnerable System Confidentiality

MVC: X

Not Defined

Modified Vulnerable System Integrity

MVI: X

Not Defined

Modified Vulnerable System Availability

MVA: X

Not Defined

Modified Subsequent System Confidentiality

MSC: X

Not Defined

Modified Subsequent System Integrity

MSI: X

Not Defined

Modified Subsequent System Availability

MSA: X

Not Defined

S: X

AU: X

R: X

V: X

RE: X

U: X

Exploit indicators

EPSS

0.001 · p23

Known exploited (KEV)

MITRE ATT&CK

Inferred via CAPEC

T1083File and Directory Discovery

└ via CAPEC-127 · CWE-732

T1134.001Token Impersonation/Theft

└ via CAPEC-60 · CWE-732

T1505.005Terminal Services DLL

└ via CAPEC-642 · CWE-732

T1548Abuse Elevation Control Mechanism

└ via CAPEC-122 · CWE-732

T1550.004Web Session Cookie

└ via CAPEC-60 · CWE-732

T1553.002Code Signing

└ via CAPEC-206 · CWE-732

T1554Compromise Host Software Binary

└ via CAPEC-642 · CWE-732

T1574.005Executable Installer File Permissions Weakness

└ via CAPEC-17 · CWE-732

T1574.010Services File Permissions Weakness

└ via CAPEC-1 · CWE-732

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

No vulnerabilities match your filters.

External references

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar