Zkteco Zkbio Cvsecurity

ZKT ZKBio CVSecurity 6.4.1_R: JWT Hardcoded Token Exploit in Service Console
CVE-2025-45746 9.8 - Critical - May 13, 2025

In ZKT ZKBio CVSecurity 6.4.1_R an unauthenticated attacker can craft JWT token using the hardcoded secret to authenticate to the service console. NOTE: the Supplier disputes the significance of this report because the service console is typically only accessible from a local area network, and because access to the service console does not result in login access or data access in the context of the application software platform.

Use of Hard-coded Credentials

ZKTeco ZKBio CVSecurity v6.1.1 Hardcoded Crypto Key CVE-2024-36526
CVE-2024-36526 - July 09, 2024

ZKTeco ZKBio CVSecurity v6.1.1 was discovered to contain a hardcoded cryptographic key.

XSS in ZKBio CVSecurity V5000 (v4.1.0) Push Config Section
CVE-2024-6344 - June 26, 2024

A vulnerability, which was classified as problematic, was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. This affects an unknown part of the component Push Configuration Section. The manipulation of the argument Configuration Name leads to cross site scripting. It is possible to initiate the attack remotely. It is recommended to upgrade the affected component. The vendor explains, that "[s]ince ZKBio CVSecurity v5000 has been withdrawn from the market, we recommend upgrading to ZKBio CVSecurity V6600 6.1.3_R or above". This vulnerability only affects products that are no longer supported by the maintainer.

XSS

ZKTeco ZKBio CVSecurity 6.1.1: Authenticated User Creates Admin (Incorrect ACL)
CVE-2024-35433 - May 30, 2024

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user.

ZKTeco ZKBio CVSecurity 6.1.1 Directory Traversal via eventRecord
CVE-2024-35429 6.5 - Medium - May 30, 2024

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via eventRecord.

Directory traversal

ZKBio CVSecurity 6.1.1 Directory Traversal (BaseMediaFile) Authenticated File Delete
CVE-2024-35428 7.1 - High - May 30, 2024

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via BaseMediaFile. An authenticated user can delete local files from the server which can lead to DoS.

Directory traversal

ZKTeco ZKBio CVSecurity 6.4.1 Dir Traversal via photoBase64
CVE-2024-35431 - May 30, 2024

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Directory Traversal via photoBase64. An unauthenticated user can download local files from the server. NOTE: Third parties have indicated other versions are also vulnerable including up to 6.4.1.

ZKBio CVSecurity 6.1.1 XSS via Audio File (auth.)
CVE-2024-35432 - May 30, 2024

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Cross Site Scripting (XSS) via an Audio File. An authenticated user can injection malicious JavaScript code to trigger a Cross Site Scripting.

ZKBio CVSecurity v6.1.1_R Authenticated Bypass Password Checks
CVE-2024-35430 - May 30, 2024

In ZKTeco ZKBio CVSecurity v6.1.1_R and earlier (fixed in 6.1.3_R) an authenticated user can bypass password checks while exporting data from the application.