cbcvebase.
CVE-2023-38951
published 2023-08-03

CVE-2023-38951: ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.20%
86.5th percentile
ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM.

Affected

1 ranges
VendorProductVersion rangeFixed in
zktecobiotime

Detection & IOCsextracted from sources · hover to see the quote

url/base/sftpsetting/
url/login/
url/base/dbbackuplog/table/?page=1&limit=1
commandusername={{user}}&password=123456&captcha=&login_user=employee
othershodan: http.html:"ZKTeco Security"
otherfofa: body="ZKTeco Security"
  • Look for POST requests to /login/ with the parameter login_user=employee and password=123456, indicating exploitation of default employee credentials for privilege escalation.
  • Monitor for crafted requests to /base/sftpsetting/ endpoints containing path traversal sequences in the Username field and unsanitized input in the SSH Key field, which may indicate an attempt to create or overwrite arbitrary files.
  • Monitor GET requests to /base/dbbackuplog/table/ from sessions authenticated as low-privilege employees, which may indicate enumeration of backup files after privilege escalation.
  • Successful exploitation may result in arbitrary code execution as NT AUTHORITY\SYSTEM; monitor for unexpected processes spawned under that account on BioTime servers.
  • Sessions are not role-validated in BioTime; detect privilege escalation by correlating employee-level login sessions performing admin-level API actions (e.g., accessing backup logs).
  • ·The Nuclei template targets CVE-2023-38952 (privilege escalation) rather than CVE-2023-38951 (path traversal/file write/RCE); the two are related but distinct vulnerabilities in the same product. Ensure the correct CVE is being tracked.
  • ·The exploit requires prior authentication; the path traversal and SSH Key injection via /base/sftpsetting/ are only reachable by authenticated users (including low-privilege employees who escalated via default credentials).
  • ·The template brute-forces numeric usernames (1–10) with the default password 123456; detection rules should account for sequential numeric username login attempts against /login/ with login_user=employee.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.