Back to overview

CVE-2026-9508

CRITICAL
10.0
CVSS 4.0
Description
Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.

Metadata

CVE ID
CVE-2026-9508
State
PUBLISHED
Assigner
INCIBE
Reserved
2026-05-25 13:57 UTC
Published
2026-05-29 12:09 UTC
Last updated
2026-05-29 13:33 UTC
Primary CWE
CWE-732
CWE-732: Incorrect Permission Assignment for Critical Resour…
Vendor / Product
Suprema / BioStar 2 (server)
Sources
cve.org  ·  NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Suprema BioStar 2 (server) v2.9.3 ≤ v2.9.11, v2.9.12
Weakness (CWE)
CWESourceDescription
CWE-732 cna CWE-732: Incorrect Permission Assignment for Critical Resource
CVSS scores (1)
ScoreSeverityVersionSourceVector
10.0 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
References (1)
Back to overview