Unrated severityNVD Advisory· Published Aug 3, 2023· Updated May 27, 2025

CVE-2023-38952

Description

Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing the application by default. Privilege restrictions between non-admin and admin users are not enforced and any authenticated user can leverage admin functions without restriction by making direct requests to administrative endpoints.

Affected products

Zkteco/BioTimecpe-rescue

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

zkteco.commitre
claroty.com/team82/disclosure-dashboard/cve-2023-38952mitre
github.com/omair2084/biotime-rce-8.5.5/blob/main/biotime_enum.pymitre
krashconsulting.com/fury-of-fingers-biotime-rce/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.015
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000