CVE-2023-38951
Published: 03 August 2023
Summary
CVE-2023-38951 is a critical-severity Path Traversal (CWE-22) vulnerability in Zkteco Biotime. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
ZKTeco BioTime versions 8.5.5 through 9.x prior to 9.0.1 (build 20240617.19506) contain a path traversal flaw combined with missing input sanitization in the /base/sftpsetting/ endpoints. The Username field accepts directory traversal sequences while the SSH Key field accepts unsanitized content, enabling an attacker to create or overwrite arbitrary files on the underlying Windows server.
An authenticated remote attacker can supply a crafted request that writes files to sensitive locations such as system directories or startup folders. Successful overwrite of specific files yields arbitrary code execution with NT AUTHORITY\SYSTEM privileges, giving the attacker full control of the host.
Vendor references point to an updated BioTime release (9.0.1 build 20240617.19506) available from the ZKTeco download site and an accompanying announcement that addresses the issue. Public proof-of-concept code has also been published that demonstrates enumeration and exploitation of the endpoints.
The EPSS score has remained flat at 0.1758 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42711
Vulnerability details
ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of…
more
input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.