CVE-2023-38952
published 2023-08-03CVE-2023-38952: Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not…
PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.44%
82.2th percentile
Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zkteco | biotime | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect privilege escalation attempts by monitoring unauthenticated or low-privilege session requests to the admin backup enumeration endpoint /base/dbbackuplog/table/ ↗
- →Flag POST login attempts using the default employee password '123456' with login_user=employee, especially with sequential numeric usernames (1–10) ↗
- →Identify BioTime instances exposed on the internet using Shodan or FOFA fingerprint on the ZKTeco Security HTML body string ↗
- →Alert on JSON responses from /base/dbbackuplog/table/ containing both 'db_type' and 'backup_file' fields, indicating successful admin-level backup enumeration by a non-admin session ↗
- →Monitor for X-CSRFToken header usage in POST /login/ requests combined with Content-Type: application/x-www-form-urlencoded, which is the attack's authentication flow ↗
- ·The exploit uses a clusterbomb attack with sequential numeric usernames (1–10) and stop-at-first-match, meaning only one successful login is needed; detection rules should account for rapid sequential login attempts with the same password across different usernames ↗
- ·Session IDs are not validated for user role by default in BioTime <= 9.0.1, meaning any authenticated session cookie can be replayed against admin endpoints without modification — session-based anomaly detection alone is insufficient ↗
- ·The privilege escalation requires no special crafting beyond a valid session — any authenticated employee-level session can directly call admin endpoints; access control enforcement must be validated server-side per endpoint ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7xfv-pf6f-p6v2: Insecure access control in ZKTeco BioTime v8
ghsa_unreviewed·2023-08-04
CVE-2023-38952 [HIGH] CWE-552 GHSA-7xfv-pf6f-p6v2: Insecure access control in ZKTeco BioTime v8
Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read sensitive backup files and access sensitive information such as user credentials via sending a crafted HTTP request to the static files resources of the system.
VulnCheck
zkteco biotime Files or Directories Accessible to External Parties
vulncheck·2023·CVSS 7.5
CVE-2023-38952 [HIGH] zkteco biotime Files or Directories Accessible to External Parties
zkteco biotime Files or Directories Accessible to External Parties
Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.
Affected: zkteco biotime
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/content/dam/fortinet/assets/reports/report-incident-response-middle
No detection rules found.
Nuclei
ZKTeco BioTime <= 9.0.1 - Privilege Escalation
nuclei·CVSS 9.8
CVE-2023-38952 [CRITICAL] ZKTeco BioTime <= 9.0.1 - Privilege Escalation
ZKTeco BioTime <= 9.0.1 - Privilege Escalation
BioTime default employee credentials (password 123456) allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files.
Template:
id: CVE-2023-38952
info:
name: ZKTeco BioTime <= 9.0.1 - Privilege Escalation
author: riteshs4hu
severity: high
description: |
BioTime default employee credentials (password 123456) allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files.
impact: |
Unauthenticated attackers can access sensitive files and credentials, leading to data breach and potential system compromise.
remediation: |
Implement proper authentication and access controls for static file resources, and update to
http://zkteco.comhttps://claroty.com/team82/disclosure-dashboard/cve-2023-38952https://github.com/omair2084/biotime-rce-8.5.5/blob/main/biotime_enum.pyhttps://krashconsulting.com/fury-of-fingers-biotime-rce/http://zkteco.comhttps://claroty.com/team82/disclosure-dashboard/cve-2023-38952https://sploitus.com/exploit?id=PACKETSTORM:177859
2023-08-03
Published
Exploited in the wild