CVE-2026-9508
Deferred Deferred - Pending Action
Incorrect Permission Settings in Suprema BioStar 2 Allow Unauthenticated Backup File Download

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via β€˜http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-9508
EUVD
EUVD-2026-33282
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
suprema biostar From 2.9.3 (inc) to 2.9.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability exposes highly sensitive information through publicly accessible backup files, which can lead to unauthorized access to databases and server impersonation.

Such exposure of sensitive data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive information.

Failure to protect backup files and prevent unauthorized access may lead to data breaches, putting organizations at risk of regulatory penalties and reputational damage.

Executive Summary

CVE-2026-9508 is a critical vulnerability in Suprema's BioStar 2 (Server) versions 2.9.3 through 2.9.11 caused by incorrect permission settings on a critical resource.

When an administrator configures the backup file path within the NGINX webroot, backup ZIP files become publicly accessible.

This allows an attacker with network access to download these backup files without authentication by accessing URLs like 'http(s)://[server]/download/...'.

The exposed backup files contain highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement within the network.

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure of sensitive backup data.

  • Attackers can impersonate the server.
  • They can gain unauthorized access to databases.
  • It enables lateral movement within the network, potentially compromising other systems.
Detection Guidance

This vulnerability can be detected by checking if backup ZIP files are publicly accessible via HTTP(S) without authentication. Specifically, you can attempt to access URLs matching the pattern 'http(s)://[server]/download/...' to see if backup files are exposed.

A simple command to test this on your system or network is to use curl or wget to try downloading backup files from the suspected server path. For example:

  • curl -I http://[server]/download/backup.zip
  • wget --spider http://[server]/download/backup.zip

If these commands return HTTP 200 OK responses and the files are accessible without authentication, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid configuring backup file paths within the NGINX webroot to prevent public exposure.
  • Restrict access to the /download/ directory using proper authentication and authorization controls.
  • Update Suprema BioStar 2 to the latest version where this vulnerability has been fixed.
  • Review and correct permission settings on critical resources to ensure backups are not publicly accessible.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9508. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart