Zkteco

Known Exploited Zkteco Vulnerabilities

The following Zkteco vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2023-38950: ZKTeco BioTime Path Traversal Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 9 vulnerabilities in Zkteco with an average score of 7.5 out of ten. Last year, in 2025 Zkteco had 3 security vulnerabilities published. That is, 6 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.05

Recent Zkteco Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2016-20032	Mar 15, 2026	Stored XSS in ZKAccess 5.3.1 via holiday_name/memo ZKTeco ZKAccess Security System 5.3.1 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads through the 'holiday_name' and 'memo' POST parameters. Attackers can submit crafted requests with script code in these parameters to compromise user browser sessions and steal sensitive information.
CVE-2016-20031	Mar 15, 2026	ZKTeco ZKBioSecurity 3.0 Local Auth Bypass via visLogin.jsp ZKTeco ZKBioSecurity 3.0 contains a local authorization bypass vulnerability in visLogin.jsp that allows attackers to authenticate without valid credentials by spoofing localhost requests. Attackers can exploit the EnvironmentUtil.getClientIp() method which treats IPv6 loopback address 0:0:0:0:0:0:0:1 as 127.0.0.1 and authenticates using the IP as username with hardcoded password 123456 to access sensitive information and perform unauthorized actions.
CVE-2016-20030	Mar 15, 2026	User Enumeration Vulnerability in ZKTeco ZKBioSecurity 3.0 (authLoginAction.do) ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to enumerate valid user accounts based on application responses.
CVE-2016-20029	Mar 15, 2026	Path Manipulation in ZKTeco ZKBioSecurity 3.0: Arbitrary File Access ZKTeco ZKBioSecurity 3.0 contains a file path manipulation vulnerability that allows attackers to access arbitrary files by modifying file paths used to retrieve local resources. Attackers can manipulate path parameters to bypass access controls and retrieve sensitive information including configuration files, source code, and protected application resources.
CVE-2016-20028	Mar 15, 2026	ZKBioSecurity 3.0 CSRF allows arbitrary superadmin account creation ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious websites. Attackers can craft HTTP requests that add superadmin accounts without validity checks, enabling unauthorized administrative access when authenticated users visit attacker-controlled pages.
CVE-2016-20027	Mar 15, 2026	Reflected XSS in ZKBioSecurity 3.0 via unsanitized parameters ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in vulnerable parameters to execute scripts in a user's browser session within the context of the affected application.
CVE-2016-20026	Mar 15, 2026	ZKBioSecurity 3.0 hardcoded Tomcat credentials allow arbitrary code exec ZKTeco ZKBioSecurity 3.0 contains hardcoded credentials in the bundled Apache Tomcat server that allow unauthenticated attackers to access the manager application. Attackers can authenticate with hardcoded credentials stored in tomcat-users.xml to upload malicious WAR archives containing JSP applications and execute arbitrary code with SYSTEM privileges.
CVE-2016-20025	Mar 15, 2026	ZKTeco ZKAccess Pro 3.5.3 Insecure FPerms PrivEsc via AuthUsr Modify ZKTeco ZKAccess Professional 3.5.3 contains an insecure file permissions vulnerability that allows authenticated users to escalate privileges by modifying executable files. Attackers can leverage the Modify permission granted to the Authenticated Users group to replace executable binaries with malicious code for privilege escalation.
CVE-2016-20024	Mar 15, 2026	ZKTime.Net 3.0.1.6 File Permission Escalation via WorldWritable ZKTimeNet3.0 ZKTeco ZKTime.Net 3.0.1.6 contains an insecure file permissions vulnerability that allows unprivileged users to escalate privileges by modifying executable files. Attackers can exploit world-writable permissions on the ZKTimeNet3.0 directory and its contents to replace executable files with malicious binaries for privilege escalation.
CVE-2025-15128	Dec 28, 2025	ZKTeco BioTime <9.5.2: Unprotected Credentials via backup_encryption_password_decrypt A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing a manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.	Biotime
CVE-2024-13966	May 27, 2025	ZKTeco BioTime Default Password Allows Username Enumerate & Login ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords (located under the Attendance Settings tab as "Self-Password").	Biotime
CVE-2025-45746	May 13, 2025	ZKT ZKBio CVSecurity 6.4.1_R: JWT Hardcoded Token Exploit in Service Console In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform.	Zkbio Cvsecurity
CVE-2024-11049	Nov 10, 2024	ZKTeco ZKBio Time 9.0.1 Image File Handler RCE A vulnerability classified as problematic has been found in ZKTeco ZKBio Time 9.0.1. Affected is an unknown function of the file /auth_files/photo/ of the component Image File Handler. The manipulation leads to direct request. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.	Zkbio Time
CVE-2023-51157	Sep 25, 2024	XSS in ZKTeco WDMS v5.1.3 Pro Emp Name param Cross Site Scripting vulnerability in ZKTeco WDMS v.5.1.3 Pro allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted script to the Emp Name parameter.	Wdms
CVE-2024-36526	Jul 09, 2024	ZKTeco ZKBio CVSecurity v6.1.1 Hardcoded Crypto Key CVE-2024-36526 ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key.	Zkbio Cvsecurity
CVE-2024-6523	Jul 05, 2024	ZKTeco BioTime <9.5.2: Remote XSS via system-group-add Handler A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input <script>alert('XSS')</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-270366 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	Biotime
CVE-2024-6344	Jun 26, 2024	XSS in ZKBio CVSecurity V5000 (v4.1.0) Push Config Section A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of the argument Configuration Name leads to cross site scripting. It is possible to initiate the attack remotely. It is recommended to upgrade the affected component. The vendor explains, that "[s]ince ZKBio CVSecurity v5000 has been withdrawn from the market, we recommend upgrading to ZKBio CVSecurity V6600 6.1.3_R or above". This vulnerability only affects products that are no longer supported by the maintainer.	Zkbiosecurity V5000 Zkbio Cvsecurity
CVE-2024-6006	Jun 15, 2024	XSS in ZKBio CVSecurity V5000 4.1.0 Summer Schedule Handler A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The manipulation of the argument Schedule Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor explains, "that ZKBio Security V5000 has been withdrawn from the market and [is] recommended for upgrading to the ZKBio CVSecurity latest version." This vulnerability only affects products that are no longer supported by the maintainer.	Zkbiosecurity V5000
CVE-2024-6005	Jun 15, 2024	XSS in Department Section of ZKTeco ZKBio CVSecurity V5000 4.1.0 A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. The manipulation of the argument Department Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor explains, "that ZKBio Security V5000 has been withdrawn from the market and [is] recommended for upgrading to the ZKBio CVSecurity latest version." This vulnerability only affects products that are no longer supported by the maintainer.	Zkbiosecurity V5000
CVE-2024-35433	May 30, 2024	ZKTeco ZKBio CVSecurity 6.1.1: Authenticated User Creates Admin (Incorrect ACL) ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user.	Zkbio Cvsecurity
CVE-2024-35429	May 30, 2024	ZKTeco ZKBio CVSecurity 6.1.1 Directory Traversal via eventRecord ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord.	Zkbio Cvsecurity
CVE-2024-35428	May 30, 2024	ZKBio CVSecurity 6.1.1 Directory Traversal (BaseMediaFile) Authenticated File Delete ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS.	Zkbio Cvsecurity
CVE-2024-35431	May 30, 2024	ZKTeco ZKBio CVSecurity 6.4.1 Dir Traversal via photoBase64 ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Third parties have indicated other versions are also vulnerable including up to 6.4.1.	Zkbio Cvsecurity
CVE-2024-35430	May 30, 2024	ZKBio CVSecurity v6.1.1_R Authenticated Bypass Password Checks In ZKTeco ZKBio CVSecurity v6.1.1_R and earlier (fixed in 6.1.3_R) an authenticated user can bypass password checks while exporting data from the application.	Zkbio Cvsecurity
CVE-2024-35432	May 30, 2024	ZKBio CVSecurity 6.1.1 XSS via Audio File (auth.) ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to trigger a Cross Site Scripting.	Zkbio Cvsecurity
CVE-2023-51142	Apr 11, 2024	ZKTeco BioTime <=8.5.4: Remote Sensitive Data Leak An issue in ZKTeco BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information.	Biotime
CVE-2023-51141	Apr 11, 2024	Remote Info Disclosure via Auth Component in ZKTeko BioTime v8.5.4 and earlier An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component	Biotime
CVE-2024-2318	Mar 08, 2024	ZKBio Media 2.0.0_x64 PTT RCE via Service Port 9999, fixed in 2.1.3 A vulnerability was found in ZKTeco ZKBio Media 2.0.0_x64_2024-01-29-1028. It has been classified as problematic. Affected is an unknown function of the file /pro/common/download of the component Service Port 9999. The manipulation of the argument fileName with the input ../../../../zkbio_media.sql leads to path traversal: '../filedir'. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.1.3 Build 2025-05-26-1605 is able to address this issue. It is recommended to upgrade the affected component.	Zkbio Media
CVE-2024-22988	Feb 23, 2024	ZKBio WDMS <9.0.2 DB Backup Download via /files/backup/ ZKteco ZKBio WDMS before 9.0.2 Build 20250526 allows an attacker to download a database backup via the /files/backup/ component because the filename is based on a predictable timestamp.	Zkbio Wdms
CVE-2024-1706	Feb 21, 2024	ZKTeco ZKBio Access IVS XSS via Department Name Search Bar (v3.3.2) A vulnerability, which was classified as problematic, has been found in ZKTeco ZKBio Access IVS up to 3.3.2. Affected by this issue is some unknown functionality of the component Department Name Search Bar. The manipulation with the input <marquee>hi leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254396. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.	Zkbio Access Ivs
CVE-2023-4587	Sep 04, 2023	IDOR in ZKTeco ZEM800 v6.60: Local Attacker Gains Backup/Config Files An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server.	Zem800 Firmware
CVE-2023-38949	Aug 03, 2023	Unauth Auth Reset in ZKTeco BioTime v8.5.5 Hidden API An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request.	Biotime
CVE-2023-38950	Aug 03, 2023	Path Traversal in ZKBioTime v8.5.5 iClock API < 9.0.120240617.19506 A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.	Biotime
CVE-2023-38951	Aug 03, 2023	ZKTeco 9.0.1 Path Traversal via SFTP Settings Allows Arbitrary File Write ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM.	Biotime
CVE-2023-38952	Aug 03, 2023	ZKTeco BioTime 9.0.1 Privilege Escalation via Missing Session Validation Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.	Biotime
CVE-2023-38954	Aug 03, 2023	ZKTeco BioAccess IVS v3.3.1 SQLi Vulnerability ZKTeco BioAccess IVS v3.3.1 was discovered to contain a SQL injection vulnerability.	Bioaccess Ivs
CVE-2023-38956	Aug 03, 2023	Unauth Path Traversal in ZKTeco BioAccess IVS v3.3.1 A path traversal vulnerability in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.	Bioaccess Ivs
CVE-2023-38955	Aug 03, 2023	ZKTeco BioAccess IVS 3.3.1 Unauth Info Disclosure of Device IPs ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to obtain sensitive information about all managed devices, including their IP addresses and device names.	Bioaccess Ivs
CVE-2023-38958	Aug 03, 2023	ZKTeco BioAccess IVS v3.3.1 Privileged Door Control via Access Flaw An access control issue in ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to arbitrarily close and open the doors managed by the platform remotely via sending a crafted web request.	Bioaccess Ivs
CVE-2022-44213	Dec 09, 2022	ZKBio ECO ADMS <=3.1-164 XSS Vulnerability ZKTeco Xiamen Information Technology ZKBio ECO ADMS <=3.1-164 is vulnerable to Cross Site Scripting (XSS).	Automatic Data Master Server
CVE-2021-39434	Dec 06, 2022	ZKTeco ZKTime 1011.1.0 Default Admin Credentials A default username and password for an administrator account was discovered in ZKTeco ZKTime 10.0 through 11.1.0, builds 20180901, 20190510.1, 20200309.3, 20200930, 20201231, and 20210220.	Zktime
CVE-2022-38802	Nov 30, 2022	Zkteco BioTime <8.5.3 XSS enables local file read via PDF export Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. An authenticated administrator can read local files by exploiting XSS into a pdf generator when exporting data as a PDF	Biotime
CVE-2022-38803	Nov 30, 2022	Zkteco BioTime <8.5.3 XSS PDF Export Local File Read Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF	Biotime
CVE-2022-38801	Nov 30, 2022	Zkteco BioTime <8.5.3 XSS Cookie Hijack (Admin Session) In Zkteco BioTime < 8.5.3 Build:20200816.447, an employee can hijack an administrator session and cookies using blind cross-site scripting.	Biotime
CVE-2022-30515	Nov 08, 2022	ZKTeco BioTime 8.5.4 Auth Bypass: Employee Photos Exposed via Filename Enumeration ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration.	Biotime
CVE-2022-36635	Oct 07, 2022	ZKBioSecurity V5000 4.1.3 SQL Injection via /baseOpLog.do ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a SQL injection vulnerability via the component /baseOpLog.do.	Zkbiosecurity V5000
CVE-2022-36634	Oct 07, 2022	Arbitrary Admin Creation via HTTP in ZKTeco ZKBioSecurity V5000 3.0.5_r An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r allows attackers to arbitrarily create admin users via a crafted HTTP request.	Zkbiosecurity V5000