Description
Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.
Published: 2026-05-29
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Suprema BioStar 2 versions 2.9.3 through 2.9.11 expose backup ZIP files in the NGINX webroot when an administrator sets the backup path inside that directory. Because the web server does not enforce authentication for files in that location, an attacker on the network can directly request the backup files via the URL pattern http(s)://[server]/download/... and receive the user‑level backup archive without login. The backup archive contains database dumps, configuration and other sensitive data, allowing an adversary to obtain credentials, impersonate the server, or move laterally within the network. This weakness is a classic example of incorrect permission assignment (CWE‑732) and results in a loss of confidentiality.

Affected Systems

All instances of Suprema BioStar 2 servers running versions 2.9.3 to 2.9.11 that have configured their backup storage location inside the NGINX webroot are affected. The vulnerability only exists when the backup files are stored in the specified public web directory; other backup locations or versions are not impacted.

Risk and Exploitability

The CVSS score of 10 signals a critical flaw, and the vulnerability can be exploited simply by sending an unauthenticated HTTP GET request to the exposed /download/ endpoint. The EPSS score is not available, but the lack of authentication and the public nature of the resource make exploitation highly likely for an entity with network reach. Since the vulnerability is not listed in CISA’s KEV catalog, it may not yet have active exploitation in the wild, yet the ease of exploitation and the sensitivity of the exposed data make it a high‑priority risk for affected deployments.

Generated by OpenCVE AI on May 29, 2026 at 13:23 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by the Suprema team. We recommend updating to the latest available version.

OpenCVE Recommended Actions

  • Upgrade Suprema BioStar to the latest supported version where the backup path is no longer publicly exposed and authentication is required to download backup archives.
  • Reconfigure the NGINX server or the BioStar backup settings so that backup files are stored outside the web root or are served behind authentication or IP‑based access controls.
  • Apply network segmentation or firewall rules to restrict inbound traffic to the backup download endpoint to trusted administrative hosts only, limiting the attack surface.

Generated by OpenCVE AI on May 29, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Supremainc
Supremainc biostar 2
Vendors & Products Supremainc
Supremainc biostar 2

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.
Title Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar
Weaknesses CWE-732
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L'}

Subscriptions

Supremainc Biostar 2
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-05-29T13:33:31.937Z

Reserved: 2026-05-25T13:57:29.006Z

Link: CVE-2026-9508

cve-icon Vulnrichment

Updated: 2026-05-29T13:33:28.043Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T13:16:23.967

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-9508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:43Z

Weaknesses