CVE-2026-9508: Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar
Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via ‘http(s)://[server]/download/…’ without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement.
HarborGuard Analysis
HarborGuard analysisSynopsis
An incorrect permission assignment in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) exposes administrator-configured backup ZIP files through the NGINX webroot, letting any unauthenticated network user download them directly from a predictable /download/ URL. Successful exploitation hands the attacker sensitive backup contents that enable server impersonation, database access, and lateral movement into connected systems. A patched-image rebuild at v2.9.12 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against BioStar 2 images in customer registries and CI pipelines, including custom-built images that repackage the BioStar server.
AvailableTriage is available with the CVSS v4 score of 10.0 (Critical) applied and then re-weighted against each customer org's compliance policy, so the finding routes to the right inbox based on exposure of the affected workload (internet-facing BioStar servers escalate ahead of internal-only deployments).
AvailableA patched-image rebuild at v2.9.12 is available on HarborGuard. For customers who opt into auto-remediation, the rebuild is produced, a regression test run is executed, and a PR is opened against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the BioStar 2 web server over the network on its HTTP(S) port (AV:N).
- AuthenticationNot required
No credentials are needed; the backup files are served directly from the NGINX webroot (PR:N).
- Victim interactionNot required
The attacker fetches the backup URL on their own; no administrator or user action is involved (UI:N).
- Attack complexityDetail
AC:L: the exploit is a single unauthenticated HTTP GET against a predictable /download/ path with no race or environmental conditions.
Blast Radius
- Reads the contents of administrator backup ZIP archives, including configuration and database material.
- Recovers credentials and keys from the backups that enable impersonation of the BioStar server to clients and devices.
- Uses extracted database contents and secrets to access connected systems and pivot laterally inside the network.
How HarborGuard Handles This
Available on HarborGuard: a patched-image rebuild at BioStar 2 v2.9.12 is published for environments running 2.9.3 through 2.9.11, and for customers with auto-remediation enabled the rebuild is produced, regression-tested, and delivered as a PR against affected workloads. Median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in auto-remediation environments. Where compliance policy gates automatic merges, the same artifacts are staged for manual approval, and HarborGuard additionally surfaces compensating-control suggestions such as moving the backup directory out of the NGINX webroot and restricting /download/ at the reverse proxy until the upgrade lands.
Metrics
- CVSS v4.0
- 10.0
- Severity
- CRITICAL
- Fixed in
- v2.9.12
- Affected Products
- 1
- Suprema / BioStar 2 (server)≤ v2.9.11Fixed in v2.9.12
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L