Zkteco Biotime

ZKTeco BioTime <9.5.2: Unprotected Credentials via backup_encryption_password_decrypt
CVE-2025-15128 5.3 - Medium - December 28, 2025

A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of the component Endpoint. Performing a manipulation of the argument backup_encryption_password_decrypt/export_encryption_password_decrypt results in unprotected storage of credentials. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Unprotected Storage of Credentials

ZKTeco BioTime Default Password Allows Username Enumerate & Login
CVE-2024-13966 - May 27, 2025

ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords (located under the Attendance Settings tab as "Self-Password").

ZKTeco BioTime <9.5.2: Remote XSS via system-group-add Handler
CVE-2024-6523 5.4 - Medium - July 05, 2024

A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input <script>alert('XSS')</script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-270366 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

XSS

ZKTeco BioTime <=8.5.4: Remote Sensitive Data Leak
CVE-2023-51142 - April 11, 2024

An issue in ZKTeco BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information.

Remote Info Disclosure via Auth Component in ZKTeko BioTime v8.5.4 and earlier
CVE-2023-51141 - April 11, 2024

An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component

ZKTeco BioTime 9.0.1 Privilege Escalation via Missing Session Validation
CVE-2023-38952 7.5 - High - August 03, 2023

Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.

Files or Directories Accessible to External Parties

ZKTeco 9.0.1 Path Traversal via SFTP Settings Allows Arbitrary File Write
CVE-2023-38951 9.8 - Critical - August 03, 2023

ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM.

Directory traversal

Path Traversal in ZKBioTime v8.5.5 iClock API < 9.0.120240617.19506
CVE-2023-38950 7.5 - High - August 03, 2023

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.

Directory traversal

Unauth Auth Reset in ZKTeco BioTime v8.5.5 Hidden API
CVE-2023-38949 7.5 - High - August 03, 2023

An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request.

Zkteco BioTime <8.5.3 XSS Cookie Hijack (Admin Session)
CVE-2022-38801 5.4 - Medium - November 30, 2022

In Zkteco BioTime < 8.5.3 Build:20200816.447, an employee can hijack an administrator session and cookies using blind cross-site scripting.

XSS

Zkteco BioTime <8.5.3 XSS PDF Export Local File Read
CVE-2022-38803 6.8 - Medium - November 30, 2022

Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF

XSS

Zkteco BioTime <8.5.3 XSS enables local file read via PDF export
CVE-2022-38802 6.2 - Medium - November 30, 2022

Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. An authenticated administrator can read local files by exploiting XSS into a pdf generator when exporting data as a PDF

XSS

ZKTeco BioTime 8.5.4 Auth Bypass: Employee Photos Exposed via Filename Enumeration
CVE-2022-30515 5.3 - Medium - November 08, 2022

ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration.

Missing Authentication for Critical Function