Cyber Resilience

CVE-2023-38950

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 03 August 2023

Published
03 August 2023
Modified
07 November 2025
KEV Added
19 May 2025
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.8443 99.3th percentile
Risk Priority 86 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38950 is a high-severity Path Traversal (CWE-22) vulnerability in Zkteco Biotime. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A path traversal vulnerability exists in the iclock API of ZKTeco BioTime version 8.5.5. The flaw, tracked as CVE-2023-38950 and assigned CWE-22, permits unauthenticated remote attackers to supply a crafted payload that traverses directories and reads arbitrary files on the affected system. The issue carries a CVSS 3.1 score of 7.5 and was subsequently corrected in ZKBioTime version 9.0.120240617.19506.

Unauthenticated attackers reachable over the network can exploit the vulnerability without credentials or user interaction. Successful exploitation grants read access to sensitive files, resulting in high confidentiality impact while leaving integrity and availability unaffected.

Vendor and researcher advisories indicate that upgrading to the patched ZKBioTime release resolves the issue. Public references, including disclosures from Claroty Team82 and an exploit listing on Packet Storm, document the flaw and the availability of proof-of-concept code. The associated EPSS score currently stands at 0.8216 with a recorded peak of 0.8340.

EU & UK References

Vulnerability details

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime.

CWE(s)
KEV Date Added
19 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zkteco
biotime
≤ 9.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Rejects or sanitizes the crafted path-traversal payloads supplied to the iclock API before they reach the file system.

prevent

Enforces access-control decisions on the iclock endpoint so that unauthenticated requests cannot read arbitrary server files.

prevent

Requires prompt application of the vendor patch (v9.0.120240617.19506) that removes the path-traversal flaw from the iclock component.

References