Actively exploited in the wild
ZKTeco BioTime Path Traversal Vulnerability
ZKTeco — BioTime · Listed in the CISA KEV since 2025-05-19. This indicates confirmed attacks in production environments.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2023-38950
HighCVSS 7.5KEVExploitation Probability (EPSS)
Very high risk100th percentile — higher than 100% of all known CVEs
Summary
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via a crafted payload. This flaw is fixed in version 9.0.120240617.19506.
Risk Assessment
The risk involves unauthorized access to sensitive system files, potentially leading to data leakage or further attack escalation.
Recommendation
Immediately update ZKBioTime to version 9.0.120240617.19506 or later, and restrict access to the iclock API to trusted networks only.
Original NVD description (English source)
A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.

