Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar
Summary
| CVE | CVE-2026-9508 |
|---|---|
| State | PUBLISHED |
| Assigner | INCIBE |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-29 13:16:23 UTC |
| Updated | 2026-05-29 13:16:23 UTC |
| Description | Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement. |
Risk And Classification
Primary CVSS: v4.0 10 CRITICAL from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-732 | CWE-732 CWE-732: Incorrect Permission Assignment for Critical Resource
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 10 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/C... |
| 4.0 | CNA | CVSS | 10 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
LowSub Conf.
HighSub Integrity
HighSub Availability
LowCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Suprema | BioStar 2 Server | affected v2.9.3 v2.9.11 custom | Not specified |
| CNA | Suprema | BioStar 2 Server | unaffected v2.9.12 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-suprema... | [email protected] | www.incibe.es | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Jordi Garcia Ribera (en)
Additional Advisory Data
Solutions
CNA: The vulnerability has been fixed by the Suprema team. We recommend updating to the latest available version.
There are currently no legacy QID mappings associated with this CVE.