Search
On this page ▾
CVE-2023-38950 — ZKTeco BioTime Path Traversal Vulnerability

CVE-2023-38950

ZKTeco BioTime — Unauthenticated Path Traversal in iclock API Enabling Arbitrary File Read
⚠️ CVSS 3.1  7.5 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is ZKTeco BioTime?

ZKTeco is one of the world's largest manufacturers of biometric time-attendance and physical access control systems, supplying products to factories, hospitals, government buildings, schools, and offices across more than 180 countries. BioTime is ZKTeco's cloud-based and on-premise workforce management platform that collects attendance data from biometric terminals (fingerprint, facial recognition, RFID) and manages employee scheduling and access control policies. BioTime's iclock API is used to communicate with ZKTeco physical terminals — making it a sensitive interface that may be network-accessible and handles data from physical access control systems.

Overview

CVE-2023-38950 is a path traversal vulnerability in ZKTeco BioTime's iclock API that allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem by supplying a crafted request payload. Disclosed in August 2023, it was added to the CISA KEV catalog nearly two years later in May 2025 — indicating sustained active exploitation of unpatched deployments by threat actors interested in data from workforce management and physical access control systems.

Affected Versions

Product Affected Fixed
ZKTeco BioTime Versions prior to vendor patch Apply latest vendor update

Consult ZKTeco's security bulletins for specific version information. BioTime deployments are often on-premise and may not receive automatic updates.

Technical Details

The vulnerability is a path traversal (CWE-22) in the BioTime iclock API endpoint. When the API processes file-related requests from connected biometric terminals (or from an attacker impersonating a terminal), it fails to adequately sanitize path components in the request payload. By supplying path traversal sequences (e.g., ../../../etc/passwd or equivalent encoded variants), an unauthenticated attacker can read files outside the intended directory — including operating system files, configuration files, and application data.

Sensitive data accessible via this exploit may include:

  • Database credentials stored in BioTime configuration files
  • Employee records and biometric enrollment data
  • Access control policy configurations
  • SSH keys or other credentials used by the server

The attack requires no authentication and no user interaction, and is accessible from any network that can reach the BioTime server — including the internet if BioTime is externally exposed.

Discovery

The vulnerability was identified by security researchers in August 2023. The near-two-year gap before CISA's KEV addition (May 2025) indicates ongoing exploitation was confirmed at that time, reflecting that many BioTime deployments remained unpatched and actively targeted.

Exploitation Context

Physical access control and workforce management systems are valuable targets for several threat actor categories:

  • Espionage operators — employee access records reveal who enters secure facilities, shift patterns, and organizational structure
  • Corporate intelligence — access control data can reveal sensitive operational patterns
  • Insider threat facilitation — unauthorized modification of access rights would require a write vulnerability, but file-read enables reconnaissance for further attacks
  • Credential theft — database and configuration credentials enable deeper system compromise

The KEV addition in May 2025 reflects confirmed exploitation in the wild, likely targeting organizations in sectors that deploy ZKTeco access control systems extensively (manufacturing, government, healthcare).

Remediation

  1. Apply the ZKTeco BioTime security update — check ZKTeco's security bulletin page and apply the patch for your BioTime version.
  2. Restrict network access to BioTime — the iclock API should only be accessible from networks hosting ZKTeco biometric terminals, not from the open internet; place BioTime behind a firewall with strict allowlist rules.
  3. Audit server logs for unusual iclock API requests, particularly those containing ../ or URL-encoded path traversal sequences, which may indicate exploitation attempts.
  4. Rotate all credentials stored in BioTime configuration files — database passwords, API keys, and any other secrets that could have been read via the traversal.
  5. Review employee access data for unauthorized modifications to access control rules — path traversal enables read-only access, but if credentials were stolen and used, write operations may have followed.
  6. Consider segmenting BioTime onto an isolated network segment with strict egress controls, accessible only from biometric terminals and the management workstations that administer it.

Key Details

PropertyValue
CVE ID CVE-2023-38950
Vendor / Product ZKTeco — BioTime
NVD Published2023-08-03
NVD Last Modified2025-11-07
CVSS 3.1 Score7.5
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SeverityHIGH
CWE CWE-22 find similar ↗
CISA KEV Added2025-05-19
CISA KEV Deadline2025-06-09
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2025-06-09. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2023-08-03CVE-2023-38950 published
2025-05-19Added to CISA Known Exploited Vulnerabilities catalog
2025-06-09CISA BOD 22-01 remediation deadline

References

ResourceType
ZKTeco Product Security Bulletins Vendor Advisory
NVD — CVE-2023-38950 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-22

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML