CVE Catalog

Actively exploited in the wild

ZKTeco BioTime Path Traversal Vulnerability

ZKTeco — BioTime · Listed in the CISA KEV since 2025-05-19. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CVE-2023-38950

HighCVSS 7.5KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
84.88%

100th percentile — higher than 100% of all known CVEs

Summary

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via a crafted payload. This flaw is fixed in version 9.0.120240617.19506.

Risk Assessment

An attacker can remotely read sensitive system files, such as configurations, passwords, or personal data, leading to confidentiality and integrity breaches.

Recommendation

Immediately upgrade ZKTeco BioTime to version 9.0.120240617.19506 or later. If upgrading is not possible, restrict access to the iclock API to trusted networks only.

Original NVD description (English source)

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS