CVE-2023-38950
published 2023-08-03CVE-2023-38950: A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted…
PriorityP191high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-06-09
Exploited in the wild
EPSS
84.88%
99.7th percentile
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zkteco | biotime | < 9.0.1 | 9.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
contains_all(base64_decode(body), "; for 16-bit app support" ,"[extensions]")
- →Detect unauthenticated GET requests to the /iclock/file endpoint with a 'url' parameter containing path traversal sequences (e.g., /../ or ../). ↗
- →A successful exploitation response will return HTTP 200 with Content-Type text/plain and a body containing Windows win.ini markers such as '; for 16-bit app support' and '[extensions]'. ↗
- →Use Shodan, FOFA, or Google dorks to identify exposed ZKTeco BioTime instances as potential targets: http.title:"biotime", title="biotime", intitle:"biotime". ↗
- →The vulnerability is exploitable without authentication (PR:N, UI:N); monitor for requests to /iclock/file from unauthenticated sessions. ↗
- ·The PoC payload targets Windows systems (win.ini); Linux/Unix deployments would require different traversal payloads (e.g., /etc/passwd). Detection rules should account for both OS variants. ↗
- ·This CVE is listed on CISA KEV with a remediation due date of 2025-06-09, indicating active exploitation in the wild. ↗
- ·The vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime; detections should flag instances running version 8.5.5 or earlier. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
ZKTeco BioTime Path Traversal Vulnerability
cisa·2025-05-19·CVSS 7.5
CVE-2023-38950 [HIGH] CWE-22 ZKTeco BioTime Path Traversal Vulnerability
Vulnerability: ZKTeco BioTime Path Traversal Vulnerability
Affected: ZKTeco BioTime
ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.zkteco.com/en/Security_Bulletinsibs ; https://nvd.nist.gov/vuln/detail/CVE-2023-38950
Remediation Due Date: 2025-06-09
GHSA
GHSA-27mv-5vpc-8g53: A path traversal vulnerability in the iclock API of ZKTeco BioTime v8
ghsa_unreviewed·2023-08-04
CVE-2023-38950 [HIGH] CWE-22 GHSA-27mv-5vpc-8g53: A path traversal vulnerability in the iclock API of ZKTeco BioTime v8
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.
VulnCheck
ZKTeco BioTime Path Traversal Vulnerability
vulncheck·2023·CVSS 7.5
CVE-2023-38950 [HIGH] CWE-22 ZKTeco BioTime Path Traversal Vulnerability
ZKTeco BioTime Path Traversal Vulnerability
ZKTeco BioTime contains a path traversal vulnerability in the iclock API that allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.
Affected: ZKTeco BioTime
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://app.crowdsec.net/cti/cve-explorer/CVE-2023-38950; https://ics-cert.kaspersky.com/publications/reports/2025/09/04/apt-and-financial-attacks-on-industrial-
No detection rules found.
Nuclei
ZKTeco BioTime v8.5.5 - Path Traversal
nuclei·CVSS 7.5
CVE-2023-38950 [HIGH] ZKTeco BioTime v8.5.5 - Path Traversal
ZKTeco BioTime v8.5.5 - Path Traversal
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.
Template:
id: CVE-2023-38950
info:
name: ZKTeco BioTime v8.5.5 - Path Traversal
author: iamnoooob,pdresearch
severity: high
description: |
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.
impact: |
Unauthenticated attackers can read arbitrary files from the server through path traversal in the iclock API url parameter, potentially exposing employee biometric data, attendance records, and system credentials.
remediation: |
Update ZKTeco BioTime to a version newer than 8.5.5
No writeups or analysis indexed.
http://zkteco.comhttps://claroty.com/team82/disclosure-dashboard/cve-2023-38950http://zkteco.comhttps://claroty.com/team82/disclosure-dashboard/cve-2023-38950https://sploitus.com/exploit?id=PACKETSTORM:177859https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38950https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east.pdf
2023-08-03
Published
2025-05-19
Added to CISA KEV
Exploited in the wild