CVE-2023-38951
published 2023-08-03CVE-2023-38951: ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.20%
86.5th percentile
ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zkteco | biotime | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/login/
url/base/dbbackuplog/table/?page=1&limit=1
commandusername={{user}}&password=123456&captcha=&login_user=employee
othershodan: http.html:"ZKTeco Security"
otherfofa: body="ZKTeco Security"
- →Look for POST requests to /login/ with the parameter login_user=employee and password=123456, indicating exploitation of default employee credentials for privilege escalation.
- →Monitor for crafted requests to /base/sftpsetting/ endpoints containing path traversal sequences in the Username field and unsanitized input in the SSH Key field, which may indicate an attempt to create or overwrite arbitrary files. ↗
- →Monitor GET requests to /base/dbbackuplog/table/ from sessions authenticated as low-privilege employees, which may indicate enumeration of backup files after privilege escalation.
- →Successful exploitation may result in arbitrary code execution as NT AUTHORITY\SYSTEM; monitor for unexpected processes spawned under that account on BioTime servers. ↗
- →Sessions are not role-validated in BioTime; detect privilege escalation by correlating employee-level login sessions performing admin-level API actions (e.g., accessing backup logs).
- ·The Nuclei template targets CVE-2023-38952 (privilege escalation) rather than CVE-2023-38951 (path traversal/file write/RCE); the two are related but distinct vulnerabilities in the same product. Ensure the correct CVE is being tracked.
- ·The exploit requires prior authentication; the path traversal and SSH Key injection via /base/sftpsetting/ are only reachable by authenticated users (including low-privilege employees who escalated via default credentials). ↗
- ·The template brute-forces numeric usernames (1–10) with the default password 123456; detection rules should account for sequential numeric username login attempts against /login/ with login_user=employee.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vc5p-9c2v-8jwq: A path traversal vulnerability in ZKTeco BioTime v8
ghsa_unreviewed·2023-08-04
CVE-2023-38951 [CRITICAL] CWE-22 GHSA-vc5p-9c2v-8jwq: A path traversal vulnerability in ZKTeco BioTime v8
A path traversal vulnerability in ZKTeco BioTime v8.5.5 allows attackers to write arbitrary files via using a malicious SFTP configuration.
VulnCheck
zkteco biotime Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 9.8
CVE-2023-38951 [CRITICAL] zkteco biotime Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
zkteco biotime Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM.
Affected: zkteco biotime
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle-east
No detection rules found.
Nuclei
ZKTeco BioTime <= 9.0.1 - Privilege Escalation
nuclei·CVSS 9.8
CVE-2023-38952 [CRITICAL] ZKTeco BioTime <= 9.0.1 - Privilege Escalation
ZKTeco BioTime <= 9.0.1 - Privilege Escalation
BioTime default employee credentials (password 123456) allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files.
Template:
id: CVE-2023-38952
info:
name: ZKTeco BioTime <= 9.0.1 - Privilege Escalation
author: riteshs4hu
severity: high
description: |
BioTime default employee credentials (password 123456) allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files.
impact: |
Unauthenticated attackers can access sensitive files and credentials, leading to data breach and potential system compromise.
remediation: |
Implement proper authentication and access controls for static file resources, and update to
https://claroty.com/team82/disclosure-dashboard/cve-2023-38951https://github.com/omair2084/biotime-rce-8.5.5/blob/main/biotime_enum.pyhttps://krashconsulting.com/fury-of-fingers-biotime-rce/https://www.zkteco.com/en/ZKBio_Time/ZKBioTime#Downloadhttps://www.zkteco.com/en/announcementhttp://zkteco.comhttps://claroty.com/team82/disclosure-dashboard/cve-2023-38951https://sploitus.com/exploit?id=PACKETSTORM:177859
2023-08-03
Published
Exploited in the wild