cbcvebase.
CVE-2023-38950
published 2023-08-03

CVE-2023-38950: A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted…

PriorityP191high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-06-09
Exploited in the wild
EPSS
84.88%
99.7th percentile
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.

Affected

1 ranges
VendorProductVersion rangeFixed in
zktecobiotime< 9.0.19.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/iclock/file?url=/../../../../../../../../../windows/win.ini
path/iclock/file
yara
contains_all(base64_decode(body), "; for 16-bit app support" ,"[extensions]")
  • Detect unauthenticated GET requests to the /iclock/file endpoint with a 'url' parameter containing path traversal sequences (e.g., /../ or ../).
  • A successful exploitation response will return HTTP 200 with Content-Type text/plain and a body containing Windows win.ini markers such as '; for 16-bit app support' and '[extensions]'.
  • Use Shodan, FOFA, or Google dorks to identify exposed ZKTeco BioTime instances as potential targets: http.title:"biotime", title="biotime", intitle:"biotime".
  • The vulnerability is exploitable without authentication (PR:N, UI:N); monitor for requests to /iclock/file from unauthenticated sessions.
  • ·The PoC payload targets Windows systems (win.ini); Linux/Unix deployments would require different traversal payloads (e.g., /etc/passwd). Detection rules should account for both OS variants.
  • ·This CVE is listed on CISA KEV with a remediation due date of 2025-06-09, indicating active exploitation in the wild.
  • ·The vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime; detections should flag instances running version 8.5.5 or earlier.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.