CVE-2026-9508
Incorrect Permission Settings in Suprema BioStar 2 Allow Unauthenticated Backup File Download
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| suprema | biostar | From 2.9.3 (inc) to 2.9.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9508 is a critical vulnerability in Suprema's BioStar 2 (Server) versions 2.9.3 through 2.9.11 caused by incorrect permission settings on a critical resource.
When an administrator configures the backup file path within the NGINX webroot, backup ZIP files become publicly accessible.
This allows an attacker with network access to download these backup files without authentication by accessing URLs like 'http(s)://[server]/download/...'.
The exposed backup files contain highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement within the network.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure of sensitive backup data.
- Attackers can impersonate the server.
- They can gain unauthorized access to databases.
- It enables lateral movement within the network, potentially compromising other systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if backup ZIP files are publicly accessible via HTTP(S) without authentication. Specifically, you can attempt to access URLs matching the pattern 'http(s)://[server]/download/...' to see if backup files are exposed.
A simple command to test this on your system or network is to use curl or wget to try downloading backup files from the suspected server path. For example:
- curl -I http://[server]/download/backup.zip
- wget --spider http://[server]/download/backup.zip
If these commands return HTTP 200 OK responses and the files are accessible without authentication, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid configuring backup file paths within the NGINX webroot to prevent public exposure.
- Restrict access to the /download/ directory using proper authentication and authorization controls.
- Update Suprema BioStar 2 to the latest version where this vulnerability has been fixed.
- Review and correct permission settings on critical resources to ensure backups are not publicly accessible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes highly sensitive information through publicly accessible backup files, which can lead to unauthorized access to databases and server impersonation.
Such exposure of sensitive data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive information.
Failure to protect backup files and prevent unauthorized access may lead to data breaches, putting organizations at risk of regulatory penalties and reputational damage.