ZKTeco BioTime multiple vulnerabilities

RISK EVALUATION ZKTeco BioTime is a web-based time and attendance management software. A default password vulnerability was found that allows an attacker to log in to any user account that does not change their password. Attackers utilizing this obtain user credentials and can possibly perform...

CVE-2024-13966

ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords located under the Attendance Settings tab as "Self-Password"...

CVE-2024-13966

CVE-2024-13966 affects ZKTeco BioTime, a web-based time and attendance system. The vulnerability allows unauthenticated attackers to enumerate usernames and log in as any user using the default password 123456, enabling potential administrative access if a user account remains with the default pa...

CVE-2024-13966 ZKTeco BioTime default password

ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords located under the Attendance Settings tab as "Self-Password"...

CVE-2024-13966 ZKTeco BioTime default password

ZKTeco BioTime allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value '123456'. Users should change their passwords located under the Attendance Settings tab as "Self-Password"...

PT-2025-23021 · Zkteco · Zkteco Biotime

Name of the Vulnerable Software and Affected Versions: ZKTeco BioTime affected versions not specified Description: The issue allows unauthenticated attackers to enumerate usernames and log in as any user with a password unchanged from the default value 123456. Recommendations: For all affected...

ZKTeco BioTime 安全漏洞

ZKTeco BioTime is a powerful web-based time and attendance management software from the Chinese company ZKTeco. A security vulnerability exists in ZKTeco BioTime that could allow an unauthenticated attacker to enumerate usernames and log in to an arbitrary account using the default password 12345...

CVE-2024-6523

A vulnerability was found in ZKTeco BioTime up to 9.5.2. It has been classified as problematic. Affected is an unknown function of the component system-group-add Handler. The manipulation of the argument user with the input leads to cross site scripting. It is possible to launch the attack...

CVE-2023-51142

An issue in ZKTeco BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information...

CVE-2023-38950

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime...

CVE-2023-38949

An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to arbitrarily reset the Administrator password via a crafted web request...

CVE-2023-51141

An issue in ZKTeko BioTime v.8.5.4 and before allows a remote attacker to obtain sensitive information via the Authentication & Authorization component...

CVE-2022-38802

Zkteco BioTime 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. An authenticated administrator can read local files by exploiting XSS into a pdf generator when exporting data as a PDF...

CVE-2022-30515

ZKTeco BioTime 8.5.4 is missing authentication on folders containing employee photos, allowing an attacker to view them through filename enumeration...

CVE-2023-38952

Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforc...

CVE-2023-38951

ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 20240617.19506 allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH...

CISA Adds Six Known Exploited Vulnerabilities to Catalog

CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2025-4427link is external Ivanti Endpoint Manager Mobile EPMM Authentication Bypass Vulnerability CVE-2025-4428link is external Ivanti Endpoint Manager Mobile EPMM...

ZKTeco BioTime Path Traversal Vulnerability

ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload...

VulnCheck KEV: CVE-2023-38950

ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload...

VulnCheck KEV: CVE-2023-38952

Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not...