Advisory · CVE-2023-3512

Path Traversal in ConacWin CB (Setelsa)

We identified an unauthenticated path traversal flaw in ConacWin CB, the physical access control management software by Setelsa Security. A remote attacker could download arbitrary files from the server through a vulnerable parameter. The vendor shipped the fix in version 3.8.2.3.

Severity: High
CVSS v3.1 · 7.5
CWE-22
CWE-23

Advisory facts

CVSS v3.1
7.5
CWE
CWE-22 · CWE-23
Severity
High
Vendor
Setelsa Security
Product
ConacWin CB
Affected versions
3.8.2.2 y anteriores
Patched version
3.8.2.3
Status
Parcheada por el fabricante
Discovered by
Agustín Picazo
NVD published
2023-10-04
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Quick summary

An unauthenticated remote attacker could download files from the operating system hosting ConacWin CB by sending relative paths (`../`) through the product's file download parameter. Setelsa Security shipped version 3.8.2.3 with the fix. The advisory is tracked on NVD, GitHub Security Advisories and INCIBE-CERT.

Why this matters

ConacWin CB is a very specific kind of software: it manages physical access control for buildings and facilities (card readers, turnstiles, magnetic locks). The host server typically lives inside the corporate network, integrated with Active Directory and, in some deployments, with CCTV or alarm management.

An arbitrary file download flaw on a system with that role is not just a data leakage problem. It means anyone with network access (or Internet access, if the management console was exposed) could pull the service binary, configuration files with connection strings, keys or tokens, and even backups of the database that holds the identities authorised to enter the building.

Put another way: starting from an arbitrary file download with CVSS 7.5 ends, in many cases, with exposed service credentials, detailed knowledge of the access control topology and a pivot path into adjacent systems. It is a useful reminder that classifying a bug as "information disclosure" routinely understates the impact when the affected asset is critical.

Technical detail

The flaw is catalogued under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-23 (Relative Path Traversal). The product exposed a file download feature that took the target filename from user input without canonicalising the path or validating that the result stayed inside an allowed directory.

The CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N vector is transparent: network attack (AV:N), low complexity (AC:L), no prior privileges (PR:N), no user interaction (UI:N), high confidentiality impact (C:H) and no integrity or availability impact. The 7.5 score puts it in the HIGH range, and not by accident: the "unauthenticated + no interaction + high confidentiality" combo is exactly what makes these bugs land in NVD and CISA automated bulletins.

Following responsible disclosure principles, we don't publish the exact endpoint or a working PoC. Canonical exploitation of a path traversal walks directories with `../` sequences (encoded or not) until it reaches paths like `/etc/shadow` on Linux or `C:\Windows\System32\config\SAM` on Windows. In ConacWin CB's specific case the natural targets were the service configuration files and the local database.

Reading the CVSS vector

These are the components that push the vector to 7.5 points and justify the HIGH rating.

AV:N (Network)

Remote attacker

If the product console was reachable on the network, the attack runs straight over HTTP.

AC:L · PR:N · UI:N

No barriers

Low complexity, no credentials, no need for any user to click anything. Point and shoot.

C:H (High)

High confidentiality impact

Any file readable by the service account could be downloaded. In typical deployments, this includes configuration with secrets.

I:N · A:N

No write, no DoS

The bug on its own did not let the attacker modify files or take the service down. The damage materialises by chaining it with the exposed information.

Disclosure timeline

  1. Q2 2023

    Agustín Picazo (Black Giraffe / Secra) identifies the vulnerability during a review of access control products.

  2. Q2 2023

    Detailed report sent to Setelsa Security through their official channel.

  3. Jul 13, 2023

    INCIBE-CERT publishes the Spanish-language advisory.

  4. Q3 2023

    Setelsa Security ships ConacWin CB 3.8.2.3 with the fix.

  5. Oct 4, 2023

    Public release on NVD (CVE-2023-3512) and GitHub Security Advisories (GHSA-v6jm-v768-76h2).

Mitigation and recommendations

The official remediation is to upgrade ConacWin CB to 3.8.2.3 or later. The vendor patch enforces requested-path validation and canonicalisation to ensure the final resolved path stays inside the allowed directory.

If for operational reasons the upgrade is not immediate, reasonable compensating controls include network isolation of the product console (IP allow-listing, mandatory VPN), a WAF in blocking mode for path traversal patterns, and immediate rotation of any secret that may have lived inside the service configuration files while the bug was exploitable.

Architecturally, this case illustrates why management consoles for physical security products should never live on the general office network segment. A compromised access control console can be used to physically open a building or, worse, to cover tracks by deleting entry logs.

Closing checklist

  • 1Upgrade ConacWin CB to 3.8.2.3 or later.
  • 2Restrict access to the product console to a management VLAN, reachable only via VPN or jump host.
  • 3Rotate any credentials stored in service configuration files from versions previous to the patch.
  • 4Review service logs for requests containing `../`, `..%2f`, `..%252f` patterns during the exposure window.
  • 5Make sure console logs are replicated outside the host (an attacker with arbitrary download usually can also read and, eventually, overwrite them).

What this means if you run physical access control

Physical access control software often falls outside the scope of classic audits, which focus on public-facing web apps or server infrastructure. It is a blind spot: IT treats it as "vendor system software", facilities treats it as "an IT problem". The result: it is deployed and forgotten for years until an advisory like this one puts it back on the table.

When we run infrastructure audits for clients, this kind of console (access control, CCTV, alarm management, building automation) systematically shows up among the highest-impact findings: legacy proprietary software, default passwords, weak network segmentation. Pointing the traditional infrastructure pentest model at these assets tends to move the needle far more than chasing yet another outdated WordPress.

About the researcher

The advisory is signed by Agustín Picazo (alias Black Giraffe), CTO and co-founder of Secra Solutions, certified OSCP, OSEP, CRTO, CRTL and CARTE. Agustín leads the firm's red team and offensive malware development practice and maintains an ongoing research line on physical security and industrial products.

Meet the Secra team

Official references

When was the last time someone audited your management consoles?

We audit internal and external infrastructure with a real focus on the assets that hurt most: Active Directory, proprietary software, physical security consoles and cloud integrations. Findings with proof of concept and a prioritised remediation plan.

Request infrastructure auditTalk to the team
Back to all advisories

Other team advisories

CVE-2025-40652
Medium

Stored XSS in CoverManager

👋Hi! Have any questions? Write to us, we reply in minutes.

Open WhatsApp →