CVE-2023-38028

CRITICAL

Saho ADM100 and ADM-100FP - Unauthenticated Information Disclosure and Data Manipulation

Title source: llm

Description

Saho’s attendance devices ADM100 and ADM-100FP have insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication to read system information and operate user's data, but can’t control system or disrupt service.

References (1)

Core 1

Core References

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-7335-d300a-1.html

Scores

CVSS v3 9.1

EPSS 0.0067

EPSS Percentile 47.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-306

Status published

Products (12)

saho/adm-100_firmware 0.0.4.0

saho/adm-100_firmware 0.0.4.3

saho/adm-100_firmware 0.0.4.6

saho/adm-100_firmware 0.0.4.8

saho/adm-100_firmware q20100602

saho/adm-100_firmware t190

saho/adm-100_firmware t17041702

saho/adm-100_firmware t18051803

saho/adm-100fp_firmware q20100602

saho/adm-100fp_firmware t190

... and 2 more

Published Aug 28, 2023

Tracked Since Feb 18, 2026