Insecure directory permissions in ZKTeco ZKTime.Net 3.0.1.6 allow local unprivileged users to escalate their privileges to SYSTEM level by hijacking executable files.

The application directory (ZKTimeNet3.0) and its contents are configured with world-writable permissions. This allows any unprivileged user on the system to replace legitimate executables with malicious ones, which are then executed by the system.

A successful exploit leads to a full local privilege escalation. This allows a low-level user to gain SYSTEM-level access, potentially compromising the entire host machine and any data it manages. The CVSS score of 9.8 reflects the Critical risk of total loss of confidentiality, integrity, and availability on the affected system.

Immediate Action: Update ZKTime.Net to a version that correctly applies the principle of least privilege to its file system structure.

Proactive Monitoring: Audit file integrity within the ZKTimeNet3.0 directory and monitor for unauthorized modifications to .exe or .dll files.

Compensating Controls: Manually restrict NTFS permissions on the application directory to allow only administrators and the service account to have write access.

Public Exploit Available: No

This vulnerability is a textbook case of insecure deployment. Administrators must either update the software immediately or manually harden the file system permissions to prevent unprivileged users from gaining full control over the server.