cbcvebase.
CVE-2023-38952
published 2023-08-03

CVE-2023-38952: Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not…

PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.44%
82.2th percentile
Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.

Affected

1 ranges
VendorProductVersion rangeFixed in
zktecobiotime

Detection & IOCsextracted from sources · hover to see the quote

url/login/
url/base/dbbackuplog/table/?page=1&limit=1
commandusername={{user}}&password=123456&captcha=&login_user=employee
  • Detect privilege escalation attempts by monitoring unauthenticated or low-privilege session requests to the admin backup enumeration endpoint /base/dbbackuplog/table/
  • Flag POST login attempts using the default employee password '123456' with login_user=employee, especially with sequential numeric usernames (1–10)
  • Identify BioTime instances exposed on the internet using Shodan or FOFA fingerprint on the ZKTeco Security HTML body string
  • Alert on JSON responses from /base/dbbackuplog/table/ containing both 'db_type' and 'backup_file' fields, indicating successful admin-level backup enumeration by a non-admin session
  • Monitor for X-CSRFToken header usage in POST /login/ requests combined with Content-Type: application/x-www-form-urlencoded, which is the attack's authentication flow
  • ·The exploit uses a clusterbomb attack with sequential numeric usernames (1–10) and stop-at-first-match, meaning only one successful login is needed; detection rules should account for rapid sequential login attempts with the same password across different usernames
  • ·Session IDs are not validated for user role by default in BioTime <= 9.0.1, meaning any authenticated session cookie can be replayed against admin endpoints without modification — session-based anomaly detection alone is insufficient
  • ·The privilege escalation requires no special crafting beyond a valid session — any authenticated employee-level session can directly call admin endpoints; access control enforcement must be validated server-side per endpoint

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.