CHT Security Red Team Discovered Several Vulnerabilities in a Well-Known Domestic Door Access Control and Personnel Attendance Management System

CHT Security Red Team discovered a use of hard-coded credentials (CVE-2021-35961) and a path traversal vulnerability (CVE-2021-35962) in a well-known domestic door access control and personnel attendance management system. The vulnerabilities are briefly described as follows:


CVE-2021-35961The vulnerability of hard-coded default credentials in the system allows unauthenticated remote attackers to obtain administrator’s permission and execute arbitrary functions. This vulnerability is classified in A6 - Security Misconfiguration of OWASP TOP 10 2017.


CVE-2021-35962Path traversal vulnerability in the system allows remote attackers to download confidential files without permission. This vulnerability is classified in A5 - Broken Access Control of OWASP TOP 10 2017.


The vendor has released related patches after receiving our report. If your organization or enterprise is using the affected door access control and personnel attendance management system, it is recommended to contact the vendor for patching and updating as soon as possible. 


CHT Security also recommends the following measures:

  1. Enterprise: Contact the vendor to install the patch as soon as possible. 
  2. System vendor: Implement input validation in the applications. It is recommended to adopt Secure Software Development Life Cycle (SSDLC), provide secure coding training, and regularly conduct security tests, such as Source Code Security Analysis and Penetration Testing, to effectively ensure product security for the clients.